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(54) Cryptographic processing apparatus, cryptographic processing method, and storage 

medium storing cryptographic processing program for improving security without greatly 
increasing hardware scale and processing time 



(57) A cryptographic processing apparatus for per- 
forming cryptographic processing using input data to 
generate output data is provided. The cryptographic 
processing apparatus includes a storage unit for storing 
chain data which is used for reflecting present crypto- 
graphic processing on next cryptographic processing, 
and for renewing the chain data each time cryptographic 
processing is performed, a merging unit for merging the 
chain data stored in the storage unit with the input data 



to generate merged data, and a main cryptographic 
processing unit for performing main cryptographic 
processing using the merged data to generate output 
data and for outputting intermediate data generated dur- 
ing a generation of the output data, wherein the storage 
unit renews the chain data by storing the intermediate 
data outputted by the main cryptographic processing 
unit as the new chain data, which is used for the next 
cryptographic processing. 
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Description 

BACKGROUND OF THE INVENTION 
5 1 Field of the Invention 
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aslorag.r»ediumstoringaciyptograr*icp^^^ 

security without greatly increasing hardware scale and processing time. 
2. Description of the Prior Art 

while a .ex. converted from the plaintext, from which it is cMbcuM or fwd J^J^V inverse conversion 

as "ciphertexf. Conversion from the plaintext to the cphertext is referred to as encrypuo 

,or restoring the original plaintext from the ciphertext ^^^^^ is a parameter of the algorithm. 

A content of encryption or decryption ,s specified by an while the key specifies one con- 

The algorithm specifies a conversion family composed of B ^^T^^L corresponds to a fixed part 
version out of the plurality of conversions in the conversion family. Generally, the aigornnm 

in the apparatus, where the key is ^ casional| yf a " ged M . mDoin _ An act by an unauthorized party such as an 
'""SS, ^ attempts .0 decrypt a cipher (h.rernatter. -cryp.anar,*-) does so in •» — ptfcn that ma 
^f^^V^^^T^ a p ,al» correspc^ingtoan a,« W 

,„ Js olographic processing me,h£a = »,e, -b^", J 
each device as a seed to generate a random number ol a P^Hde,iees have me same algorithm, then the 
random number generator vmere the random ^«°™^^^ZZL number L a plaintext to, 
transmitter generates a ciphertext by performing an »*f eOFT ™ K tes ,„„ oligina | pl aMexl by 

^g^r^r^ 

"•ri^enabloc^meplainte.disrepresentedas-M-.ab,^ 

■R- andtheexclusive-ORoperationforeachcorrespondmgbitas (+) , the encryption can d 

■Formula r, the decryption as the following -Formula 2". 



so 



C=M( + )R (FOfmU,a 1) 



55 



™„ mo thr^ ie that it is vulnerable against the "known-plaintext attack". 

Jr-~=~ES--==»~ 
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R=M(+)C (Formula 3). 

Accordingly, the cryptanalyst can decrypt the pseudo-random-number-sum-type ciphertext without difficulty by the 
5 known-plaintext attack. 

Cryptographic processing methods which are relatively secure against the known-plaintext attack include Data 
Encryption Standard (DES) and Fast Data Encipherment Algorithm (FEAL). These methods are explained in detail in 
Eiji Okamoto An Introduction to Encryption Theory, published by Kyoritsu. 

In these cryptography methods, data is intensely shuffled in units of block (64 bits per block). For example, in the 
10 DES algorithm, a process which combines transposition with substitution is repeated for sixteen stages. 

Cipher Block Chaining mode (hereinafter, CBC mode) has been proposed in order to improve security of the DES 
methods against cryptanalysis and other unauthorized acts. The CBC mode is explained in detail in Nobuichi Ikeno 
and Kenji Koyama Modem Encryption Theory, published by Institute of Electronic Information and Communication (pp. 
66-67). 

is Fig. 1 shows the construction of an encryption apparatus 30 which realizes the CBC mode. 

The encryption apparatus 30 includes an exclusive-OR unit 301 , a data encryption unit 302, and a register 303. 

The register 303 stores one ciphertext block which was obtained immediately before processing a present plaintext 
block. It should be noted that an initial value IV of one block is set in advance for encrypting a first plaintext block. 

The exclusive-OR unit 301 performs, for each corresponding bit, an exclusive-OR operation on the immediately 
io preceding ciphertext block which is stored in the register 303 and the present plaintext block to be encrypted, and 
sends the obtained data to the data encryption unit 302. When encrypting the first plaintext block, an exclusiveOR 
operation is performed on the initial value IV and the first plaintext block for each corresponding bit. 

The data encryption unit 302 encrypts the 64-bit data sent from the exclusive-OR unit 301 using the DES algorithm 
and 64-bit key data. 

25 Thus, the encryption apparatus 30 first performs an exclusive-OR operation on the initial value IV and the first 

plaintext block for each corresponding bit and encrypts the result using the 64-bit key data to obtain one ciphertext 
block. The encryption apparatus 30 then performs an exclusiveOR operation on the ciphertext block and a next plain- 
text block for each corresponding bit and encrypts the result to obtain another ciphertext block. 

When a block in the plaintext is represented as "Mi", a block in the ciphertext as "Ci" (i is a block number 2, 3, ..: ), 

so the 64-bit key data as "K", the encryption using the key data K as "Ek", and the exclusiveOR operation for each 
corresponding bit as "(+)", the CBC mode can be described by the following "Formula 4" and "Formula 5": 

C1=Ek(M1(+)IV) (Formula 4) 

35 

Ci=Ek(Mi(+)Ci-1) (i=2, 3, ... ) (Formula 5). 

In the CBC mode, each Ci depends on all ciphertext data preceding Ci, so that statistical characteristics of the 
40 plaintext are disturbed. As a result, the CBC mode is relatively secure against cryptanalysis and other unauthorized acts. 

A drawback with the DES methods, the FEAL methods, the CBC mode in the DES methods and the like is that an 
algorithm is known and the length of a key is limited, so that it is not practically impossible to obtain the proper key by 
performing decryption using every possible key in the known-plaintext attack. It should be noted here that each key of 
64 bits in the DES methods includes 8 parity bits, so that the valid key length is 56 bits. Accordingly, the number of 
45 possible keys is 2 56 . 

When, as in DES methods, the key is around 56 bits long, it is believed that it would be possible with current 
technology to succeed in decoding by trying all possible keys, though this would require a tremendous cost. However, 
if encryption is performed in multilevel using a plurality of separate keys, it would be impossible with the current tech- 
nology to succeed in decoding by trying all possible keys. 
so On the other hand, in view of rapid improvement in the processing ability of computers in recent years, it is not 

unthinkable that in the future it may become possible to succeed in decoding by trying all possible keys despite the 
multilevel encryption. 

Also, though the larger the scale of the multilevel encryption, the further the security of the system will improve, it 
is not desirable to simply make conventional encryption apparatuses perform encryption in multilevel, as it causes 
ss profound increases in hardware scale and processing time. 

Conventional techniques which can improve the security of the CBC mode and the like without performing multilevel 
encryption are taught in JPN. 52-130504 (cryptographic apparatus) and JPN. 8-12537 (encryption apparatus). In the 
former reference, key data is renewed based on an immediately preceding cryptographic processing result such as a 



EP 0 874 496 A2 



in the latter relerence, on the other hand, 



system. 

SUMMARY OF THE INVENTION 

0 oener^n o. L output data, wherein the storage unit renege cha-n y ^ ^ cryptographic p^ess,^ 
» S^SS renew* ^* •» Cf VP to 9 raph,C pr ° Ce f *JE£JS£ are distorted by each chain data, making 

the processing time. 
« RRIFF DESCRIPTION OF THE DRAWINGS 

3S BRIEF DEbon.r tinnwi ,l become apparent from the following de- 

invention. In the drawings: ^ 

c- 1 chows the construction of the encryption apparatus 30 ^^^^^^^1 oUhe present invention; 

Fig. 8 snows in nH o 06 of First Embodiment of the present 

invention, ,-~,«fth*. fraction data processing unit 206 of Hrsitmouu 

Fin 9 shows the detailed construction of the fraction oa w ,,. „. 

Sirs.— 
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invention; 

Fig. 1 3 shows the detailed construction of the data decryption apparatus 20 of Second Embodiment of the present 
invention; 

Fig. 14 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Second Em- 
bodiment of the present invention; 

Fig. 15 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Second Em- 
bodiment of the present invention; 

Fig. 16 shows the detailed construction of the data encryption apparatus 10 of Third Embodiment of the present 
invention; 

Fig. 17 shows the detailed construction of the data decryption apparatus 20 of Third Embodiment of the present 
invention; 

Fig. 18 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Third Embod- 
iment of the present invention; 

Fig. 19 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Third Embod- 
iment of the present invention; 

Fig. 20 shows the detailed construction of the data encryption apparatus 10 of Fourth Embodiment of the present 
invention; 

Fig. 21 shows the detailed construction of the data decryption apparatus 20 of Fourth Embodiment of the present 
invention; 

Fig. 22 is a flowchart showing the cryptographic processing of the data encryption apparatus 1 0 of Fourth Embod- 
iment of the present invention; 

Fig. 23 is a flowchart showing the cryptographic processioo^lJiedata decryption apparatus 20 of Fourth Embod- 
iment of the present invention; 

Fig. 24 shows the detailed construction of the data encryption apparatus 10 of Fifth Embodiment of the present 
invention; 

Fig. 25 shows the detailed construction of the data decryption apparatus 20 of Fifth Embodiment of the present 
invention; 

Fig. 26 is a flowchart showing the cryptographic processing of the data encryption apparatus 1 0 of Fifth Embodiment 
of the present invention; 

Fig. 27 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Fifth Embodiment 
of the present invention; 

Fig. 28 shows the detailed construction of the data encryption apparatus 10 of Sixth Embodiment of the present 
invention; 

Fig. 29 shows the detailed construction of the data decryption apparatus 20 of Sixth Embodiment of the present 
invention; 

Fig. 30 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Sixth Embod- 
iment of the present invention: 

Fig. 31 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Sixth Embod- 
iment of the present invention; 

Fig. 32 shows the detailed construction of the data encryption apparatus 1 0 of Seventh Embodiment of the present 
invention; 

Fig. 33 shows the detailed construction of the data decryption apparatus 20 of Seventh Embodiment of the present 
invention; 

Fig. 34 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Seventh Em- 
bodiment of the present invention; 

Fig. 35 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Seventh Em- 
bodiment of the present invention; 

Fig. 36 shows the detailed construction of the data encryption apparatus 10 of Eighth Embodiment of the present 
invention; 

Fig. 37 shows the detailed construction of the data decryption apparatus 20 of Eighth Embodiment of the present 
invention; 

Fig. 38 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Eighth Embod- 
iment of the present invention; 

Fig. 39 shows the detailed construction of the data encryption apparatus 10 of Ninth Embodiment of the present 
invention; 

Fig. 40 shows the detailed construction of the data decryption apparatus 20 of Ninth Embodiment of the present 
invention; 

Fig. 41 shows the detailed construction of the data encryption apparatus 10 of Tenth Embodiment of the present 
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DESCRIPTION OF THE PREFERRED EMBODIMENT 

First Embodiment 



««-»h nf an encryption apparatus which generates ciphertext 
First Embodiment of the present invention .s composed oU an encryi pti PP ^ cjphertext data (the 

data from plaintext data and a decryption apparatus wh.ch ^Zxo as Cjtogiaphte processing apparatus which 
e?c^ionVratus and the decryption apparat^ 

geneLsoutputdatafromcryptog^ are s cified by key data (the encryption 

% performing encryption processing and ^^ P'^^ ? cryptograp hic process^). In this cryptographs 
so pressing and the decryption *«>^™™*^££^ pressing is performed on one Ho* an 
processing apparatus of First ^^^^^^^ «■ ^ aS * ^ ^ ^ " *"* 

55 <Construction> 

Construction of Encrypted Communication System> 

arc* t=mhnHiment ot the present invention. 

Fig 2shows the construction of an encry^ 
^ encrypted commun^^^ 
obtained ciphertext data and a recewer 2 ^^^^c 2 is also shown in the figure, 
the ciphertext data is transmitted from the transmrtter 1 ^J^^ , 0 and a transm.ss.on un.t 11 . 

/Sshowninthefigure,thetransmitt e r1 Is ^ p P* d ^ *** are CaCh com P° sed ,? * 

The data encryption apparatus 10 '^f^^^^S^Li in advance and a predetermined algonthm 
predetermined number of brts, using key data wh^h has 

Lrdertoobtain ciphertext datafromthe^ 

£r«rsrpr^^ 

Wttnc.. ... 1(ansmlsslon * ich is g.n.raW by p-fcoring P-oc.^9 «* " ™*" 

Th. racpta unit 21 rack*, ft. ™ s »f™*XX 1 oau, to !» *«• *> W to W'T, „,«,. 

termined algorithm to obtain the plaintext data. 
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Construction of Data Encryption Apparatus 10> 

Fig. 3 shows the detailed construction of the data encryption apparatus 10, which is shown in Fig. 2, of First 
Embodiment of the present invention, 
s The data encryption apparatus 10 includes a bbck dividing unit 101, a block storage unit 102, a key data merging 

unit 103, a subkey generation unit 104, first to eighth encryption units 105a-105h, a fraction data processing unit 106, 
and a block integration unit 107. 

When comparing the conventional encryption apparatus 30 shown in Fig. 1 and the data encryption apparatus 1 0 
of First Embodiment of the present invention, the exclusive-OR unit 301 corresponds to the key data merging unit 103, 
10 the data encryption unit 302 corresponds to the block dividing unit 101. the subkey generation unit 104, the first to 
eighth encryption units 105a-105h, the fraction data processing unit 106, and the block integration unit 107, and the 
register 303 corresponds to the block storage unit 102. 

The block dividing unit 101 divides input plaintext data into 64-bit blocks of plaintext data (hereinafter, "plaintext 
block"), which are then sent in turn to the first encryption unit 105a. When fraction plaintext data which is smaller than 
is 64 bits is left behind after the plaintext data is divided into plaintext blocks, the traction plaintext data is sent to the 
fraction data processing unit 106. In the present example, plaintext data of 200 bits is inputted and divided into a first 
plaintext block composed of the first to 64th bits, a second plaintext block composed of the 65th to 128th bits, a third 
plaintext block composed of the 129th to 192th bits, and fraction plaintext data composed of the 193th to 200th bits. 
The block dividing unit 101 then sends in turn the first to third plaintext blocks to the first encryption unit 105a, and the 
20 fraction plaintext data to the fraction data processing unit 106. 

When each plaintext block is processed, the block storage unit 102 stores a chain block which is used for reflecting 
a present block on a next block. It should be noted that an initial value IV of the chain block is stored in the block storage 
unit 102 in advance for processing the first plaintext block. 

The key data merging unit 1 03 merges the chain block stored in the block storage unit 1 02 with key data to generate 
25 merged key data. In the present example, for processing the first plaintext block, an exclusive-OR operation is per- 
formed on the initial value IV of the 64-bit chain block and 64-bit input key data which has been determined in advance 
for each corresponding bit. For processing the second and third plaintext blocks, an exclusiveOR operation is per- 
formed, for each corresponding bit, on the 64-bit key data and a 64-bit chain block generated during the processing 
of the immediately preceding plaintext block. 
30 The subkey generation unit 104 generates a number of subkeys corresponding to a number of encryption units 

from the merged key data which has been generated by the key data merging unit 103. In the present example, eight 
48-bit subkeys are generated from the 64-bit merged key data. 

The first encryption unit 105a generates a first intermediate block from a plaintext block using a first subkey 
The second to seventh encryption units 105b-105g generate second to seventh intermediate blocks from the first 
35 to sixth intermediate blocks using second to seventh subkeys, respectively 

The eighth encryption unit 105h generates one block of ciphertext data (hereinafter, "ciphertext block") from the 
seventh intermediate block using an eighth subkey 

The first to eighth encryption units 105a-105h have the same construction, in which conversion processing is 
performed in eight stages, the conversion processing being composed of a process of converting higher 32 bits of a 
to 64-bit input block using lower 32 bits of the 64-bit input block based on a conversion specified by a 48-bit subkey and 
a process of replacing the converted higher 32 bits with the lower 32 bits in series. In the present example, first to 
seventh intermediate blocks are progressively generated for each of the first to third plaintext blocks, with first to third 
ciphertext blocks being generated from the resulting intermediate blocks. 

Fig. 4 shows the detailed construction of the first to eighth encryption units 105a-105h. 
45 a 64-bit plaintext block is divided into higher 32 bits and lower 32 bits. When the higher 32-bit is represented as 

"HO", the lower 32-bit as "L0" : input of an "nth encryption unit as "{H(n-1), L(n-1)}", and output as "(Hn, Ln)" ( Hn and 
Ln are described by the following "Formula 6" and "Formula 7": 

Hn=L(n-1) (Formula 6) 



Ln=H(n-1 ) (+) f {L(n-1 ), Kn} (Formula 7). 

55 Here, "(+)" represents the exclusive-OR operation for each corresponding bit, "Kn" represents a 48-bit subkey 

inputted into the "nth encryption unit, and T represents a function for outputting 32-bit data using "L(n-1 )" and "Kn". 
Fig. 5 shows the detailed construction of a unit which calculates the function "f". 

32 bits of L(n-1) are expanded to 48 bits and rearranged according to expansion E shown in the following table 
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(Table 1). 
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processing or the choice functions ie described with corresponds substMon ales. 

Fig. 6 shows me snbsttlution lables ol the cho»e runctons svsa_ ^ 4 ^ and 16 

Each choice lunclion is provided with 64 numerals each in a range ol 0 15. wn 
"'T nrs, bi, and the M b» ou, o, feu. * bits specily a tine in ,he s U bs«*n tabie. and the 4 bits sp«c«v 

a column in the table. * llrt „tion qi the first bit "0" and the last bit "1 " specify the 

permutation P shown in the following table (Table 2), and as a result outputted t W 

(Table 2) 
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State block as the new chain block, which is ^^^^SSS^i value IV in advance, which is used for 
In the present example, the block storage unit 102 s ores ^ 64 -nma & ^ jntermedjate 

processing the first plaintext b.ock. The block ^^™^££Z renewed chan block is then used for 
block which was generated during the processing tne chain block by storing a fourth inter- 

processing the second plaintext block, and the ^^^^K Next, the renewed chain block is used 
mediated block generated during the P"^^^^^ the chain block by storing a fourth 
for processing the third plaintext block, and the ^^^^^ renewed chain block is then used 
intermediate block generated during the process.ng of the third plamtext biccK. 

^ P ^S^^^0e rece.es the fraction plaintext data from the b.ock d.iding unit ,01. and 
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generates fraction ciphertext data whose number of bits is the same as the fraction plaintext data using the chain block 

stored in the block storage unit 102. The fraction data processing unit 106 includes a data matching unit 106a and a 

fraction data merging unit 106b. 

Fig. 7 shows the detailed construction of the fraction data processing unit 106, which is shown in Fig. 3, of First 
5 Embodiment of the present invention. 

The data matching unit 106a generates fraction chain data whose number of bits is the same as the fraction 

plaintext data from the chain block stored in the block storage unit 102. In the present example, the fraction plaintext 

data is 8 bits, so that the data matching unit 106a generates fraction chain data which is composed of, for instance, 

highest 8 bits of the chain block stored in the block storage unit 102. 
10 The fraction data merging unit 106b merges the generated fraction chain data with the fraction plaintext data. In 

the present example, an exclusive-OR operation is performed on 8 bits of the fraction chain data and 8 bits of the 

fraction plaintext data for each corresponding bit to generate 8 bits of fraction ciphertext data. 

The block integration unit 107 integrates each ciphertext block generated by the eighth encryption unit 105h and 

the fraction ciphertext data generated by the fraction data processing unit 1 06 to generate ciphertext data. In the present 
is example, the 64-bit first to third ciphertext blocks and the 8-bit fraction ciphertext data are integrated to form ciphertext 

data of 200 bits. 

It should be noted here that, although the block storage unit 102 renews the chain block using each fourth inter- 
mediate block generated by the fourth encryption unit 105d in the present example, any intermediate blocks generated 
during the processing can also be used. Accordingly, the block storage unit 102 may use one of the first to seventh 
-to intermediate blocks generated by the respective first to seventh encryption units 105a-105g as the new chain block. 

Construction of Data Decryption Apparatus 20> 

Fig. 8 shows the detailed construction of the data decryption apparatus 20, which is shown in Fig. 2, of First 
25 Embodiment of the present invention. 

The data decryption apparatus 20 includes a block dividing unit 201 , a block storage unit 202, a key data merging 
unit 203, a subkey generation unit 204, first to eighth decryption units 205a-205h, a fraction data processing unit 206, 
and a block integration unit 207. 

When comparing the conventional encryption apparatus 30 shown in Fig. 1 and the data decryption apparatus 20 
30 shown in Fig. 8, the exclusive-OR unit 301 corresponds to the key data merging unit 203, the data encryption unit 302 
corresponds to the block dividing unit 201 , the subkey generation unit 204, the first to eighth decryption units 205a- 
205h, the fraction data processing unit 206, and the block integration unit 207, and the register 303 corresponds to the 
block storage unit 202. 

The block dividing unit 201 divides input ciphertext data into 64-bit ciphertext blocks, which are then sent in turn 

35 to the first decryption unit 205a. When fraction ciphertext data which is smaller than 64 bits is left behind after the 
ciphertext data is divided into ciphertext blocks, the fraction ciphertext data is sent to the fraction data processing unit 
206. In the present example, ciphertext data of 200 bits is inputted and divided into a first ciphertext block composed 
of the first to 64th bits, a second ciphertext block composed of the 65th to 1 28th bits, a third ciphertext block composed 
of the 129th to 192th bits, and fraction ciphertext data composed of the 193th to 200th bits. The block dividing unit 101 

40 then sends in turn the first to third ciphertext blocks to the first decryption unit 205a, and the fraction ciphertext data 
to the fraction data processing unit 206. 

When each block which has been divided by the block dividing unit 201 is processed, the block storage unit 202 
stores a chain block which is used for reflecting a present block on a next block. It should be noted that an initial value 
IV of the chain block is stored in the block storage unit 202 in advance for processing the first ciphertext block. This 

« initial value IV is the same as the initial value IV used in the data encryption apparatus 10. That is to say, an initial 
value IV which is used for encrypting plaintext data is the same as an initial value IV which is used for decrypting 
ciphertext data corresponding to the plaintext data. 

The key data merging unit 203 merges the chain block stored in the block storage unit 202 with key data to generate 
merged key data. It should be noted here that this merging is the same as the merging performed by the key data 

50 merging unit 103 of the data encryption apparatus 10. Also, the key data used in the data decryption apparatus 20 is 
the same as the key data used in the data encryption apparatus 1 0. That is to say, key data used for encrypting plaintext 
data is the same as key data used for decrypting ciphertext data corresponding to the plaintext data. In the present 
example, for processing the first ciphertext block, an exclusive-OR operation is performed on the initial value IV of the 
64-bit chain block and 64-bit input key data which has been determined in advance for each corresponding bit. For 

55 processing the second and third ciphertext blocks, an exclusive-OR operation is performed, for each corresponding 
bit, on the 64-bit key data and a 64-bit chain block generated during the processing of the immediately preceding 
ciphertext block. 

The subkey generation unit 204 generates a number of subkeys corresponding to a number of decryption units 
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from the merged key data which h» .been generated by the ke data m g g ^ ^ ^ ge 

48-bit subkeys are generated from the ^^l^^Z^ apparatus 20 is the same as the lunction of 
,he subkeys by the subkey generate unrt 20 [^.f^X^enZ?^ apparatus 10. 

^^^^^^^ ™ a ciphertext b,ock using an ei9hth 

SM Z second to seventh decrypt un*s 205b-205 g generate sixth to «rst intermediate b.oc kS from the seventh to 
second intermediate blocks using seventh to se a C0 ^. s .^ y ^ L intermediate block using a first subkey. 
The eighth decryption unit 205h f^^^^^ in which converse processing is 

The first to eighth decryption units 205a-205h have the < same conV erting higher 32 bits of a 

performed in eight stages, the conversion ^^^^^^^^ specified by a 48-brt subkey and 
64-bit input block using lower 32 brts of the ^^V^i^^^s in series. In the present example, seventh to 
a process of replacing the converted higher 32 « ^he .owe Kb jnn « >■ P ^ ^ ^ fjrst to thjrd 

first intermediate blocks are progressively generated °r e^ch °f the t. ^ ^ conversjons per . 

plaintext blocks being generated from the resul ^^^^ of the conversions performed by the 
formed by the first to eighth decryption unrts 20 5a-205h are ' respectively, 
eighth to first encryption units 105h-l05a of Each time the fourth decryption unit 205d 

The block storage unrt 202 is equipped wi h a block chain block by storing the fourth interme- 
generates a fourth intermediate block, the block stc age u n ^JiJ ^ 
Lte block as the new chain btock, which w,.l ^"^^X^u. IV of 64 bits in advance, whtoh is used 
in the present example, the block storage , un* 202 ^ storey M Mn*a a ^ jnter . 

for processing the first ciphertext btock. The « ^ £Tas the new cha in block. The renewed chain 
mediate block generated during ^^J^^S^ ».ock «™» ^ 202 ren ° WS ** *** ^ 

^^^^ 

f ng 'KSff dSdconstruction of the fraction data processing unrt 206. which is shown in Fig. 8. of F.rst 

highest 8 bits of the chain block stored in the block storage ^ ^ ^ the f raction ciph ertext data. In 

The fraction data merging unrt 206b merges the O^^JJ^ the {ract ion chain data and 8 brts of the 
» the present example, an exclusive-OR operation , -P^^e^ST,^ plaintext data. 

fraction ciphertext data for each correspond^ ^JSS^J^eM by the eighth decryption unit 205h and 
The block integration unit 207 ^tegrates each jj^*^^ t0 ^ nerat e plaintext data. In the present 

i^^^ - integratedtoform p,awe * 

45 "Tsh^notedhere^^ 

mediate block generated by the fourth de c^fon unit ^ -£££S»2 may use one of the seventh to first 
during the processing can also be used. ^^^J^SS^ on rts 20 5 a-205g as the new chain block, 
intermediate blocks generated by the r^^'^TSS data decryption apparatus 20 should be the 

<Operation> 

ss <Operation of Data Encryption Apparatus 10> 
of the present invention. 
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As one example, a case is explained when the cryptographic processing is performed according to the DES algo- 
rithm in the data encryption apparatus 10 where 200-bit plaintext data is inputted and the initial value IV of the chain 
block is stored in the block storage unit 102 in advance. 

(1) The block dividing unit 101 judges whether unprocessed data of input plaintext data is equal to or larger than 
64 bits (Step S101). In the present example, unprocessed data of the input plaintext data is originally 200 bits, so 
that the block dividing unit 101 judges that the unprocessed data is equal to or larger than 64 bits (Step S101: first 
time). 

(2) When the unprocessed data of the input plaintext data is equal to or larger than 64 bits, the first 64 bits are 
separated from the unprocessed data (Step S102). In the present example, the first to 64th bits of the 200-bit 
plaintext data are separated as a first plaintext block (Step S102: first time). 

(3) The key data merging unit 103 merges the chain block stored in the block storage unit 102 with key data to 
generate merged key data (Step S103). In the present example, an exclusive-OR operation is performed on the 
initial value IV of the 64-bit chain block and 64-bit key data for each corresponding bit to generate merged key 
data, which is then sent to the subkey generation unit 104 (Step S103: first time). 

(4) From the merged key data, the subkey generation unit 104 generates subkeys whose number is the same as 
the number of encryption units (Step S1 04). In the present example, eight 48-bit subkeys are generated from the 
64-bit merged key data (Step S104: first time). 

The following is an example of the process of generating first to eighth 48-bit subkeys (48 bits X 8) from the 64-bit 
key data which includes 8 parity bits. 

The 8 parity bits are removed from the 64-bit key data, and the remaining 56 bits are transposed according to 
transposition shown in the following table (Table 3). 



(Table 3) 



57 


49 


41 


33 


25 


17 


9 


1 


58 


50 


42 


34 


26 


18 


10 


2 


59 


51 


43 


35 


27 


19 


11 


3 


60 


52 


44 


36 


63 


55 


47 


39 


31 


23 


15 


7 


62 


54 


47 


38 


30 


22 


14 


6 


61 


53 


45 


37 


29 


21 


13 


5 


28 


20 


12 


4 



The table shows new bit positions to which input bits are transposed. For example, the 57th bit of the input bits is 
transposed to tho first bit of the output bits, while the 49th bit of the input bits is transposed to the second bit of the 
output bits. 

The 56-bit key data is divided into the first half 28 bits represented as "CO" and the second half 28 bits as "DO", 
each of "CO" and "DO" being shifted to the left for a number of shifting times shown in the following table (Table 4) so 
as to generate C1-C8 and D1-D8. 



(Table 4) 



subkey number 


1 


2 


3 


4 


5 


6 


7 


8 


number of shifting times 


2 


4 


8 


12 


16 


20 


24 


26 



For instance, when C0=(c1 c2 c3 ... c26 c27 c28) ; C1=(c3 c4 c5 ... c28 d c2). 

Next, the 56-bit key data is transposed to be 48 bits in accordance with transposition shown in the following table 
(Table 5). 



(Table 5) 



14 


17 


11 


24 
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28 


15 
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10 
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19 


12 
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26 
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16 


7 


27 


20 


13 


2 


41 


52 


31 


37 


47 


55 
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(Table 5) 


^continued) 




30 


40 


51 


45 


33 


48 
53 


44 


49 


39 


56 


34 


46 


42 


50 


36 


29 


32 



10 



15 



20 



25 



30 



35 



40 



45 



SO 



SS 



output bits. 

* ^r^Hioto hiock from a plaintext block using the first subkey 
(5) The first encryption unit 105a generates a " s ^^f g ^ from the first plaintext block (Step 
(Step S105). In the present example, a first intermediate block is genera 

block (Step S109; first time) h , k f ^ the seV enth intermediate block using the 

^1^102°^"^ * are sepa ra ,«. to. ft. » — - ■ ^ "* 

in the present example (Step S102: second t,me >, 64 . bjt cha|n block generated when processing 

(13) in Step S103, an exclusrve-OR operation « P*™* ^^^0 0^0 generate merged key data, which is 
the first plaintext block and the 64-bit key -dtia or ^SSSXp 81 03: second time). 

S ^O^tS^ ^ ^ ^ ^ ^ PreSent ^ 

^("™ 

so that first to seventh ^^^^J^^J^^ the chain block by storing the fourth 
second plaintext block are generated, and the Mock £e*a fl unrt ^ chajn b|ock jn the preS ent example 

intermediate block corresponding to the second plaintext block as 

(Steps S105-S109, second time). unproC es S ed data of the plaintext data still exists in 

(20) In Step S110, the processing returns to Step S101, as unproc 

the present example (Step S110: second time). unDr ocessed data is equal to or larger than 64 bits, 

^^oSSlt^ tt. « ft* MM P«.« — - -P— 35 » ,hW 4 ^ 

the present example (Step S102: third time). generated when processing 

(23) in Step S103. an ^^J^Zt^Zi ^nljSX »* to generate merged key data. «*h 
the second plaintext block and ^^^^^^^SiSv S103: third time), 
is then sent to the subkey generation unrt 104 .n the present examp e ( P ^ ^ { example 

(24) In Step S104, eight 48-bit subkeys are generated from the 64 bit merge 
(Step S104: third time). 
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(25)-(29) In Steps S105-S109, the third plaintext block is processed in the same way as the first plaintext block, 
so that first to seventh intermediate blocks and subsequently a third ciphertext block which correspond to the third 
plaintext block are generated, and the block storage unit 102 renews the chain block by storing the fourth inter- 
mediate block corresponding to the third plaintext block as the new chain block in the present example (Steps 
S105-S109: third time). 

(30) In Step S110, the processing returns to Step S101, as unprocessed data of the plaintext data still exists in 
the present example (Step S110: third time). 

(31) In Step S101, the block dividing unit 101 judges that the unprocessed data is not equal to or larger than 64 
bits, as the remaining data after 64 bits were separated from the 72-bit plaintext data is 8 bits in the present example 
(Step S101 : fourth time). 

(32) When the unprocessed data of the plaintext data is smaller than 64 bits, the unprocessed data is sent to the 
fraction data processing unit 1 06 (Step S1 1 1 ). In the present example, the 1 93th to 200th bits ot the 200-bit plaintext 
data are sent to the fraction data processing unit 106 as fraction plaintext data. 

(33) On receiving the fraction plaintext data from the block dividing unit 101 , the fraction data processing unit 106 
generates fraction ciphertext data whose number of bits is the same as the fraction plaintext data using the chain 
block stored in the block storage unit 102 (Step S112). In the present example, an exclusive-OR operation is 
performed, for each corresponding bit, on the 8-bit fraction plaintext data and highest 8 bits of the 64-bit chain 
block which was generated when processing the third plaintext block and has been stored in the block storage 
unit 102, and as a result 8-bit fraction ciphertext data is generated. 

(34) When it is judged that unprocessed data of the plaintext data does not exist in Step S11 0, or after the fraction 
ciphertext data is generated in Step S11 2, the block integration unit 1 07 integrates each ciphertext block generated 
by the eighth encryption unit 105h and the fraction ciphertext data generated by the fraction data processing unit 
106 to generate ciphertext data (Step S113). In the present example, the first to third ciphertext blocks and the 
fraction ciphertext data are integrated to form 200-bit ciphertext data. 

<Operation of Data Decryption Apparatus 20> 

Fig. 11 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of First Embodiment 
of the present invention. 

The operation of the data decryption apparatus 20 is inverse conversion of the operation of the data encryption 
apparatus 10. 

As one example, a case is explained when the cryptographic processing is performed according to the DES algo- 
rithm in the data decryption apparatus 20 where 200-bit ciphertext data is inputted and the initial value IV of the chain 
block is stored in the block storage unit 202 in advance as in the block storage unit 1 02 of the data encryption apparatus 
10. 

(1) The block dividing unit 201 judges whether unprocessed data of the input ciphertext data is equal to or larger 
than 64 bits (Step S201). In the present example, unprocessed data of the input ciphertext data originally is 200 
bits, so that the block dividing unit 201 judges that the unprocessed data is equal to or larger than 64 bits (Step 
S201: first time). 

(2) When the unprocessed data of the input ciphertext data is equal to or larger than 64 bits, the first 64 bits are 
separated from the unprocessed data (Step S202). In the present example, the first to 64th bits of the 200-bit 
ciphertext data are separated as a first ciphertext block (Step S202: first time). 

(3) The key data merging unit 203 merges the chain block stored in the block storage unit 202 with key data to 
generate merged key data (Step S203). In the present example, an exclusiveOR operation is performed on the 
initial value IV of the 64-bit chain block and 64-bit key data for each corresponding bit to generate merged key 
data, which is then sent to the subkey generation unit 204 (Step S203: first time). 

(4) From the merged key data, the subkey generation unit 204 generates subkeys whose number is the same as 
the number of decryption units (Step S204). In the present example, eight 48-bit subkeys are generated from the 
64-bit merged key data (Step S204: first time). 

The process of generating first to eighth 48-bit subkeys (48 bits x 8) from the 64-bit key data which includes 8 
parity bits is the same as the subkey generation process performed by the subkey generation unit 104 of the data 
encryption apparatus 10. 

(5) The first decryption unit 205a generates a seventh intermediate block from a ciphertext block using the eighth 
subkey (Step S205). In the present example, a seventh intermediate block is generated from the first ciphertext 
block (Step S205: first time). 
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S207: first time). ■ „ nerate third to first intermediate blocks from the fourth to 

(8) The fifth to seventh decryption units ^^j^ 8 " 8 ^ (Step s20 8). In the present example, third to first 

text block (Step S208: first time). nlaintB vt block from the first intermediate block using the first 

corresponding to the first ciphertext block (St S209^rst tirne > ^ ^ data exists , the 

(10) It is judged whether unprocessed data of ^^O^tiMiorUsC^ ciphertext data (Step S210). 
proce S singretumstoSte P S201 inorde^ 

In the present example, unprocessed <^ "^^^JS^ «a is equa. to or larger than 64 brts, 

^^^^^^^^ *~ ^ ^ 1 " ,n ^ PrGSent 

^S^'So*!^ bits are separated from the 200-bit ciphertext data as a second ciphertext 

block in the present example ( St ^ 202 a ^°" d "formed on the 64-bit chain block generated when processing 

(1 3) ,n Step S203 an — f^Z^TZT^, bit to generate merged key data, wh.h ,s 
the first ciphertext block and the 64-b.t key aaia '° r examp |e (Step S203: second time). 

then sent to the subkey generation unit 204 ,n ^Z^Tel^ merged key data in the present example 

( 1 4) In Step S204, eight 48-bit subkeys are generated from the b4 

(Step S204: second time). nrocessed in the same way as the first ciphertext 

15 ) P (19) In Steps S205-S209, the se ;- d *£ h J^ 

block, so that seventh to first ^^JS.^ 202 renews the chain block by stonng the 

STcW- -k as the new chain b,cck in .e present 

^Stfp^^^ 

the present example (Step 821 a second time) _ unprocesse d data is equa. to or larger than 64 bits 

SnltK 

in the present example (Step S202: third time) ft chain block generated when processing 

<23)lnStepS203.anexc.^ 

thesecondciphertexlbtokandthee^brtkev '^ ,or le (Step S2 03: thirdtime). 

is then sent to the subkey generation th S-bit meVged key data in the present exam P .e 

(24) In Step S204, eight 48-bit subkeys are generated trom me 

(Step S204: third time). nrocessed in the same way as the first ciphertext block, 

25) (29) in Steps S205-S209, the thud 'f^^^^p^ block which correspond to the third 
so that seventh to first Intermediate btocks ^J^TSSK renews the chain block by storing the fourth inter- 
ciphertext block are generated, and ^^ZT^ZtTx^L chain block in the present example (Steps 
mediate block corresponding to the third c.phertext block as the 

S205-S209: third time). _ unprocessed data of the ciphertext data still exists .n 

(30) In Step S210. the processing returns to Step S201 . as unpr 

the present example (Step S210. third tn4 unpr ocessed data is not equal to or larger than 64 

example (Step S201 : lourth time). . u „ . . ata ic _ ma „ er than 64 bits, the unprocessed data is sent to the 
,32) vL„ « ttw 193lh to 200th Ms o. •» 20M* a- 
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(33) On receiving the fraction ciphertext data from the block dividing unit 201, the fraction data processing unit 
206 generates fraction plaintext data whose number of bits is the same as the fraction ciphertext data using the 
chain block stored in the block storage unit 202 (Step S212). In the present example, an exclusiveOR operation 
is performed, for each corresponding bit, on the 8-bit fraction ciphertext data and highest 8 bits of the 64-bit chain 

5 block which was generated when processing the third ciphertext block and has been stored in the block storage 

unit 202, and as a result 8-bit fraction ciphertext data is generated. 

(34) When it is judged that unprocessed data of the ciphertext data does not exist in Step S21 0, or after the fraction 
plaintext data is generated in Step S212 : the block integration unit 207 integrates each plaintext block generated 
by the eighth decryption unit 205h and the fraction plaintext data generated by the fraction data processing unit 

10 206 to generate plaintext data (Step S21 3). In the present example, the first to third plaintext blocks and the fraction 

plaintext data are integrated to form 200-bit plaintext data. 

In the cryptographic processing apparatus of First Embodiment, an intermediate block generated when performing 
the cryptographic processing on a present block is stored as a chain block, which is then merged with key data when 
15 performing the cryptographic processing on a next block, renewing the chain block each time the cryptographic process- 
ing is performed. 

Second Embodiment 

jo Second Embcdiment of the present invention is different from First Embodiment in that a chain block is not merged 

with key data but merged with either cryptographic-processing object data or data which has been generated by the 
cryptographic processing. 

<Construction> 

25 

The construction of an encrypted communication system of Second Embodiment is the same as that of First Em- 
bodiment, and is thereby not explained here. 

Construction of Data Encryption Apparatus 10> 

30 

Fig. 12 shows the detailed construction of a data encryption apparatus 10, which is shown in Fig. 2, of Second 
Embodiment of the present invention. 

Components which are the same as those in the data encryption apparatus 10 of First Embodiment shown in Fig. 
3 are given the same numbers. Components whose functions are the same as those in the data encryption apparatus 
35 10 of First Embodiment are not explained here. 

The data encryption apparatus 1 0 of Second Embodiment includes a block dividing unit 1 01 , a block storage unit 
102, a subkey generation unit 104, first to eighth encryption units 105a-105h, a fraction data processing unit 106, a 
block integration unit 107, and a block merging unit 108. 

When comparing the conventional encryption apparatus 30 shown in Fig. 1 and the data encryption apparatus 10 
40 of Second Embodiment of the present invention shown in Fig. 12, the exclusive-OR unit 301 corresponds to the block 
merging unit 108, the data encryption unit 302 corresponds to the block dividing unit 101 , the subkey generation unit 
104, the first to eighth encryption units 105a-105h, the fraction data processing unit 106, and the block integration unit 
107, and the register 303 corresponds to the block storage unit 102. 

Here, the same example is used as in First Embodiment where plaintext data of 200 bits is inputted in the data 
45 encryption apparatus 10. 

The block dividing unit 101 of Second Embodiment is different from that of First Embodiment only in that it sends 
divided blocks not to the first encryption unit 105a but to the block merging unit 108. 

The block merging unit 108 merges a chain block stored in the block storage unit 102 with a plaintext block to 
generate a merged plaintext block. In the present example, for processing a first plaintext block, an exclusiveOR 
50 operation is performed on the 64-bit first plaintext block and an initial value IV of a 64-bit chain block for each corre- 
sponding bit to generate a 64-bit first merged plaintext block. For processing second and third plaintext blocks, an 
exclusive-OR operation is performed, for each corresponding bit, on each of the 64-bit second and third plaintext blocks 
and a 64-bit chain block generated during the processing of the immediately preceding plaintext block, so as to generate 
64-bit second and third merged plaintext blocks, respectively 
55 The subkey generation unit 104 generates subkeys whose number is the same as the number of encryption units 

from key data. In the present example, the subkey generation unit 104 generates eight 48-bit subkeys from 64-bit input 
key data which has been determined in advance. 

The first encryption unit 105a generates a first intermediate block not from the plaintext block but from the merged 
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10 



15 



^^^^ 

generated from the resulting intermediate blocks. 
Construction of Data Decryption Apparatus 20> 

Embodiment of the present .nvention. decrvp tion apparatus 20 of First Embodiment shown in Fig. 

202, a subksy 9«»<a«°n unit 204, first to e.gt» terror, unte 205a 

decryption apparatus 20. b j the same as the number of decryption units 

The subkey generation unit 204 generates subk B*£ho. ^JJ" ej w ^ subkey5 , rom 64-bit input 

(ro m key data. In the present example, the ^ubkey V^^tSt*. lhat the ? un ction of generating the subkeys 
key data which has been determ.ned in advance. It shoulc De no functjon Qf generating the 

being generated from the resulting intermediate ^ s . 2Q2 wjth a cryp tographic-proc- 

The block merging unit 208 merges a cha.n block stored " ^*£^e first cjphertext bl0 ck, an exclusive- 
essedblocktogeneiateap.aintextb.ock. In the P^ s ^^ 

OR operation is performed on the 64-b.t first W*WfW ™^ k ™ essing the second and third ciphertext 
b ,ockforeachcorrespondingbittogeneratea64-b.tf, on ^ Qf ^ ^ second and third 

blocks, an exclusive-OR operation is P//^^ 
5 cryptographic-pressed bkx^ respectively. - 

cSertUblc^k. so as to generate 64-bit second ^ 

Theblockintegration unit207 integrates "^^^^^^pw^ data. In the present example, 

to 

<Operation> 

Operation of Data Encryption Apparatus 1 0> 

shown in F^ 10 are given the same numbers, and are not explamed here. 

(1M2) The same as First Embodiment (Steps S101 and S102: first *m*). q{ encfyptio n 
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on the 64-bit first plaintext block and the initial value IV of the 64-bit chain block for each corresponding bit to 
generate a 64-bit first merged plaintext block (Step S302: first time). 

(5) The first encryption unit 105a generates a first intermediate block from the merged plaintext block using a first 
subkey (Step S303). In the present example, a first intermediate block is generated from the first merged plaintext 

s block (Step S303: first time). 

(6) -(12) The same as First Embodiment (Steps S106-S110: first time, Steps S101 and S102: second time). 

(1 3) In Step S301 , eight 48-bit subkeys are generated from the 64-bit key data in the present example. If the key 
data has not been changed since the first time, the eight 48-bit subkeys generated in the first time may be stored, 
as the subkeys generated in the second time is the same as the subkeys generated in the first time (Step S301 : 

10 second time). 

(14) In Step S302, an exclusive-OR operation is performed, for each corresponding bit, on the 64-bit second 
plaintext block and the 64-bit chain block generated when processing the first plaintext block, so as to generate a 
64-bit second merged plaintext block in the present example (Step S302: second time). 

(15) In Step S303, a first intermediate block is generated from the second merged plaintext block in the present 
is example (Step S303: second time). 

(16) -(22) The same as First Embodiment (Steps S106-S110: second time, Steps S101 and S102: third time). 

(23) In Step S301 , eight 48-bit subkeys are generated from the 64-bit key data in the present example. If the key 
data has not been changed since the first time, the eight 48-bit subkeys generated in the first time may be stored, 
since the subkeys generated in the third time is the same as the subkeys generated in the first time (Step S301 : 

^0 third time). 

(24) In Step S302, an exclusive-OR operation is performed, for each corresponding bit, on the 64-bit third plaintext 
block and the 64-bit chain block generated when processing the second plaintext block, so as to generate a 64-bit 
third merged plaintext block in the present example (Step S302: third time). 

(25) In Step S303, a first intermediate block is generated from the third merged plaintext block in the present 
25 example (Step S303: third time). 

(26) -(34) The same as First Embodiment (Steps S106-S110: third time, Step S1 01: fourth time, Steps S111-S113). 

<Operation of Data Decryption Apparatus 20> 

30 Fig. 15 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Second Em- 

bodiment of the present invention. 

The operation of the data decryption apparatus 20 is inverse conversion of the operation of the data encryption 
apparatus 10. 

Here, the same example as in First Embodiment is used, wherein the cryptographic processing is performed ac- 
35 cording to the DES algorithm in the data decryption apparatus 20 where 200-bit ciphertext data is inputted and the 
initial value IV of the chain block is stored in the block storage unit 202 in advance. 

Steps which are the same as those in the operation of the data decryption apparatus 20 of First Embodiment 
shown in Fig. 11 are given the same numbers, and are not explained here. 

40 (1 )-(2) The same as First Embodiment (Steps S201 -S202: first time). 

(3) The subkey generation unit 204 generates subkeys whose number is the same as the number of decryption 
units from key data (Step S401 ). In the present example, eight 48-bit subkeys are generated from the 64-bit input 
key data which has been determined in advance (Step S401 : first time). 

(4) -(6) The same as (5), (6), and (8) of First Embodiment (Steps S205, S206, and S208: first time). 

45 (7) The eighth decryption unit 205h generates a cryptographic-processed block from the first intermediate block 

using a first subkey (Step S402). In the present example, a first cryptographic-processed block is qenerated from 
the first intermediate block corresponding to the first ciphertext block (Step S402: first time). 

(8) The block merging unit 208 merges the cryptographic-processed block with the chain block stored in the block 
storage unit 202 (Step S403). In the present example, an exclusive-OR operation is performed on the 64-bit first 

so cryptographic-processed block and the initial value IV of the 64-bit chain block for each corresponding bit to gen- 

erate a 64-bit first plaintext block (Step S403: first time). 

(9) The same as (7) of First Embodiment (Step S207: first time). 

(10) -(12) The same as First Embodiment (Step S210: first time, Steps S201 and S202: second time). 

(1 3) In Step S401 , eight 48-bit subkeys are generated from the 64-bit key data in the present example. If the key 
55 data has not been changed, the eight 48-bit subkeys generated in the first time may be stored, since the subkeys 

generated in the second time is the same as the subkeys generated in the first time (Step S401: second time). 

(14) -(16) The same as (15), (16), and (18) of First Embodiment (Steps S205, S206, and S208: second time). 
(17) In Step S402, a second cryptographic-processed block is generated from the first intermediate block corre- 
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sponding to the second ciphertext block in the P resen ' e ;^ on the 64-bit second 

Jb) .n Step S403, an ^^^J^^ Passing the first ciphertext bloc, 

cryptographic-processed block and the ( ^ b b ^7™ 40 9 3 ; seC ond time). 

so as to generate a 64-bit second P^^^Zcond time). 
(19) The same as (17) of First Embod.me rt (Stt£ SWraeMKU ^ ^ ^ 

20 -(22) The same as First Embedment (Step S ^^J^ £ ^ in the present example. If the key 

23 m Step S401 . eight 48-bit ^J^^X^^ ,ir * ,im6 ^ be ^ ^ * ? " 
data has not been changed, the eight ^ »*^f "^.ated in the first time (Step S401 : third tune) 

generated in the third time is the » " ^S^S (Steps S205, S206, and S208: third fme). 
24H26) The same as (25), (26) and (2 ^ F r S ^^^ 

(27) In Step S402, a third cryptographc-processea w tj y 

(30)-(34) The same as First Embod.ment (Step S210. thira time, 
^ Posing is p.*.™* on. %»£^cZ°**l*> ■>'» 8S * 9 * Pert0m ' 0d °" * 



Third Embodiment 



i niro cnmwiii'p'" , 

p.aintext block. Accordingly, a chain block and ^^°^ e p P resent inve ntion operates in inverse convers.on 
P Also, a data decryption apparatus 20 d Third Engirt on P Embodiment is di « e rent from that of 

of the data encryption apparatus 1 0. The data £ ^ * plaint ext block, which is encrypted in the same 

FirstEmbodimentinthattheoutputoaou^ 
way as the data encryption apparatus 10 to generate a 



way av» »•« - ■ , 

being stored as the new chain block. 
<Construction> 



5 



>0 



55 



nsirucuon> 

i m nf Third Embodiment is the same as that of First Embod- 
The construction of an encrypted communicate system of Th.rd Embodim 
iment, and is thereby not explained here, 
construction of Data Encryption Apparatus 10> 

Embodiment of the present invention. encryption apparatus 10 of First Embodiment shown in Fig. 

the only difference lying in that the fifth encryption unit 1Q5e of Tn.r 
not S a fourth intermediate block but from the plaintext block. 

Construction of Data Decryption Apparatus 20> 

Embodiment of the present invention. decryption apparatus 20 of First Embodiment showr . in MFig. 

20 of First Embodiment are not explained here. 
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The data decryption apparatus 20 of Third Embodiment includes a block dividing unit 201, a block storage unit 
202, a key data merging unit 203, a subkey generation unit 204, first to fourth decryption units 205a-205d, first to fourth 
encryption units 205i-2051, a fraction data processing unit 206, and a block integration unit 207. 

Here, the same example is used as in First Embodiment where ciphertext data of 200 bits is inputted in the data 
s decryption apparatus 20. 

The fourth decryption unit 205d generates a plaintext block from a fifth intermediate block using a fifth subkey. In 
the present example, first to third plaintext blocks are generated from each fifth intermediate block corresponding to 
first to third ciphertext blocks. It should be noted that the first to fourth decryption units 205a-205d perform inverse 
conversions of the eighth to fifth encryption units 105h-105e of the data encryption apparatus 10, respectively 
10 The first encryption unit 205i generates a first intermediate block from the plaintext block generated by the fourth 

decryption unit 205d using a first subkey. 

The second to fourth encryption units 205j-2051 generate second to fourth intermediate blocks from the first to 
third intermediate blocks using second to fourth subkeys, respectively. 

The first to fourth encryption units 205t-205l have the same functions and operations as the first to fourth encryption 
is units 105a-105d of the data encryption apparatus 10. In the present example, from the first to third plaintext blocks, 
the first to fourth intermediate blocks which correspond to each of the first to third plaintext blocks are generated. 

Each time the fourth encryption unit 2051 generates a fourth intermediate block, the block storage unit 202, which 
is provided with a block renewal function, renews the chain block by storing the fourth intermediate block as the new 
chain block, which is used for processing a next block. This operation is the same as in First Embodiment 
20 The block integration unit 207 integrates each plaintext block generated by the fourth decryption unit 205d and 

fraction plaintext data generated by the fraction data processing unit 206 to generate plaintext data. In the present 
example, the 64-bit first to third plaintext blocks and 8-bit fraction plaintext data are integrated to form 200-bit plaintext 
data. 

2S <Operation> 

<Operation of Data Encryption Apparatus 10> 

Fig. 18 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Third Embod- 
30 iment of the present invention. 

Here, the same example as in First Embodiment is used, wherein the cryptographic processing is performed ac- 
cording to the DES algorithm in the data encryption apparatus 10 where 200-bit plaintext data is inputted and the initial 
value IV of the chain block is stored in the block storage unit 102 in advance. 

Steps which are the same as those in the operation of the data encryption apparatus 10 of First Embodiment 
35 shown in Fig. 10 are given the same numbers, and are not explained here. 

(1)-(7) The same as First Embodiment (Steps S101-S107: first time). 

(8) The fifth to seventh encryption units 105e-105g generate fifth to seventh intermediate blocks from the plaintext 
block and the fifth and sixth intermediate blocks using the fifth to seventh subkeys, respectively (Step S501). In 

40 the present example, fifth to seventh intermediate blocks are generated from the first plaintext block and the fifth 

and sixth intermediate blocks corresponding to the first plaintext block, respectively (Step S501: first time). 

(9) -(17) The same as First Embodiment (Steps S109 and S110: first time, Steps S101-S107: second time). 

(18) In Step S501 , fifth to seventh intermediate blocks are generated from the second plaintext block and the fifth 
and sixth intermediate blocks corresponding to the second plaintext block respectively in the present example 

45 (Step S501 : second time). 

(19) -(27) The same as First Embodiment (Steps S109 and S110: second time, Steps S101-S107: third time). 
(28) In Step S501, fifth to seventh intermediate blocks are generated from the third plaintext block and the fifth 
and sixth intermediate blocks corresponding to the third plaintext block respectively, in the present example (Step 
S501: third time). 

so (29)-(34) The same as First Embodiment (Steps S109 and S110: third time, Step S101: fourth time, Steps 

S111-S113). 

<Operation of Data Decryption Apparatus 20> 

55 Fig. 1 9 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Third Embod- 

iment of the present invention. 

The operation of the data decryption apparatus 20 is inverse conversion of the operation of the data encryption 
apparatus 10. 
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which is to be merged and the operation of a block storage unit to store a chain block are carried out in inverse order, 
so that a merged block or a block which is not yet merged is stored as the new chain block. 

<Construction> 

5 

The construction ot an encrypted communication system of Fourth Embodiment is the same as that of First Em- 
bodiment, and is thereby not explained here. 

reconstruction of Data Encryption Apparatus 10> 

70 

Fig. 20 shows the detailed construction of a data encryption apparatus 10, which is shown in Fig. 2, of Fourth 
Embodiment of the present invention. 

Components which are the same as those in the data encryption apparatus 10 of Second Embodiment shown in 
Fig. 12 are given the same numbers. Components whose functions are the same as those in the data encryption 
*5 apparatus 10 of Second Embodiment are not explained here. 

The data encryption apparatus 10 of Fourth Embodiment includes a block dividing unit 101 , a block storage unit 
102, a subkey generation unit 104, first to eighth encryption units I05a-105h, a fraction data processing unit 106, a 
block integration unit 107, and a block merging unit 108. 

Here, the same example is used as in First Embodiment where plaintext data of 200 bits is inputted in the data 
20 encryption apparatus 10. 

The first encryption unit 105a generates a first intermediate block not from a merged plaintext block but from a 
chain block stored in the block storage unit 102. 

The first to fourth encryption units 105a-105d have the same functions as those of Second Embodiment. Here, 
first to third intermediate blocks and a cryptographic-processed block which correspond to each chain block are gen- 
25 erated from the chain block. 

The block merging unit 108 merges the cryptographic-processed block generated by the fourth encryption unit 
105d with a plaintext block to generate a fourth intermediate block. In the present example, for processing a first 
plaintext block, an exclusive-OR operation is performed, for each corresponding bit, on the 64-bit first plaintext block 
and a 64-bit first cryptographic-processed block generated from an initial value IV of the chain block. For processing 
30 second and third plaintext blocks, an exclusive-OR operation is performed, for each corresponding bit, on the 64-bit 
second and third plaintext blocks and 64-bit second and third cryptographic-processed blocks generated durinq the 
processing of the immediately preceding block, respectively. 

Each time the block merging unit 108 generates a fourth intermediate block corresponding to a present plaintext 
block, the block storage unit 102, which is provided with a block renewal function, renews the chain block by storing 
35 the fourth intermediate block as the new chain block, which is used for processing a next plaintext block. In the present 
example, the block storage unit 102 stores the 64-bit initial value IV in advance, which is used for processing the first 
plaintext block, and renews the chain block by storing a fourth intermediate block generated when processing the first 
plaintext block as the new chain block. Next, this new chain block is used for processing the second plaintext block, 
and a fourth intermediate block generated during the processing is stored in the block storage unit 102 as the new 
40 chain block. Next, this new chain block is used for processing the third plaintext block, and a fourth intermediate block 
generated during the processing is stored in the block storage unit 102 as the new chain block. Then, this new chain 
block is used for processing fraction plaintext data. 

The fifth to eighth encryption units 105e-105h have the same functions as those of Second Embodiment. In the 
present example, fifth to seventh intermediate blocks are progressively generated for each of the fourth intermediate 
45 blocks, with first to third ciphertext blocks being generated from the resulting intermediate blocks. 

The fraction data processing unit 106 receives the traction plaintext data from the block dividing unit 101, and 
generates traction ciphertext data whose number of bits is the same as the fraction plaintext data using the crypto- 
graphic-processed block generated by the fourth encryption unit I05d. The fraction data processing unit 106 includes 
a data matching unit 106a and a fraction data merging unit 106b. 
50 The data matching unit 1 06a generates fraction cryptographic-processed data whose number of bits is the same 

as the fraction plaintext data from the cryptographic-processed block generated by the fourth encryption unit 105d. In 
the present example, the fraction plaintext data is 8 bits, so that the data matching unit 106a generates fraction cryp- 
tographic-processed data which is composed of, for example, highest 8 bits of the cryptographic-processed block 
generated by the fourth encryption unit 105d. 
55 The fraction data merging unit 106b merges the fraction cryptographic-processed data with the fraction plaintext 

data to generate the fraction ciphertext data. In the present example, an exclusive-OR operation is performed on the 
8-bit fraction cryptographic-processed data and the 8-bit Iraction plaintext data for each corresponding bit to generate 
8-bit fraction ciphertext data. 
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(4) The first encryption unit 105a generates a first intermediate block from the chain block stored in the block 
storage unit 102 using the first subkey (Step S701). In the present example, a first intermediate block is generated 
from the initial value IV of the chain block (Step S701 : first time). 

(5) The second to fourth encryption units 105b-105d generate second and third intermediate blocks and a crypto- 
graphic-processed block from the first to third intermediate blocks using the second to fourth subkeys (Step S702). 
In the present example, second and third intermediate blocks and a first cryptographic-processed block are gen- 
erated from the first to third intermediate blocks corresponding to the initial value IV of the chain block, respectively 
(Step S702: first time). 

(6) The block merging unit 108 merges the cryptographic-processed block with a plaintext block to generate a 
fourth intermediate block (Step S703). In the present example, an exclusiveOR operation is performed on the 
64-bit first cryptographic-processed block and the 64-bit first plaintext block for each corresponding bit to generate 
a 64-bit fourth intermediate block (Step S703: first time). 

(7) -(13) The same as Second Embodiment (Steps S107-S110: first time, Steps S101, S102, and S301: second 
time). 

(1 4) In Step S701 , a first intermediate block is generated from the 64-bit chain block generated during the process- 
ing of the first plaintext block in the present example (Step S701 : second time). 

(15) In Step S702, second and third intermediate blocks and a second cryptographic-processed block are gener- 
ated from the first to third intermediate blocks corresponding to the chain block generated during the processing 
of the first plaintext block respectively, in the present example (Step S702: second time). 

(16) In Step S703, an exclusive-OR operation is performed on the 64-bit second cryptographic-processed block 
and the 64-bit second plaintext block for each corresponding bit to generate a 64-bit fourth intermediate block in 
the present example (Step S703: second time). 

(17) -(23) The same as Second Embodiment (Steps S107-S110: second time, Steps S101, S102, and S301: third 
time). 

(24) In Step S701 , a first intermediate block is generated from the 64-bit chain block generated during the process- 
ing of the second plaintext block in the present example (Step S701: third time). 

(25) In Step S702, second and third intermediate blocks and a third cryptographic-processed block are generated 
from the first to third intermediate blocks corresponding to the chain block generated during the processing of the 
second plaintext block respectively, in the present example (Step S702: third time). 

(26) In Step S703, an exclusive-OR operation is performed on the 64-bit third cryptographic-processed block and 
the 64-bit third plaintext block for each corresponding bit to generate a 64-bit fourth intermediate block in the 
present example (Step S703: third time). 

(27) -(34) The same as Second Embodiment (Steps S107-S110: third time, Step S101: fourth time, Steps 
S111-S113). 

<Operation of Data Decryption Apparatus 20> 

Fig. 23 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Fourth Embod- 
iment of the present invention. 

The operation of the data decryption apparatus 20 is inverse conversion of the operation of the data encryption 
apparatus 10. 

Here, the same example as in First Embodiment is used, wherein the cryptographic processing is performed ac- 
cording to the DES algorithm in the data decryption apparatus 20 where 200-bit ciphertext data is inputted and the 
initial value IV of the chain block is stored in the block storage unit 202 in advance. 

Steps which are the same as those in the operation of the data decryption apparatus 20 of Second Embodiment 
shown in Fig. 15 are given the same numbers, and are not explained here. 

(1)-(5) The same as Second Embodiment (Steps S201, S202, S401, S205, and S206: first time). 

(6) The first encryption unit 205i generates a first intermediate block from the chain block stored in the block storage 
unit 202 using the first subkey (Step S801). In the present example, a first intermediate block is generated from 
the initial value IV of the chain block (Step S801 : first time). 

(7) The second to fourth encryption units 205j-205l generate second and third intermediate blocks and a crypto- 
graphic-processed block from the first to third intermediate blocks using the second to fourth subkeys, respectively 
(Step S802). In the present example, second and third intermediate blocks and a first cryptographic-processed 
block are generated from the first to third intermediate blocks corresponding to the initial value IV of the chain 
block (Step S802: first time). 

(8) The block merging unit 208 merges the cryptographic-processing block with the fourth intermediate block to 
generate a plaintext block (Step S803). In the present example, an exclusive-OR operation is performed, for each 
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The block merging unit 1 08 merges the fourth intermediate block generated by the fourth encryption unit 1 05d with 
a plaintext block to generate a merged plaintext block. In the present example, for processing a first plaintext block, 
an exclusive-OR operation is performed, for each corresponding bit, on the 64-bit first plaintext block and a 64-bit fourth 
intermediate block generated from an initial value IV of the chain block. For processing second and third plaintext 

5 blocks, an exclusive-OR operation is performed, for each corresponding bit, on each of the 64-bit second and third 
plaintext blocks and a 64-bit fourth intermediate block generated during the processing of the immediately preceding 
plaintext block, respectively. 

The fifth encryption unit 105e generates a fifth intermediate block not from the fourth intermediate block but from 
the merged plaintext block generated by the block merging unit 108. 
io The fifth to eighth encryption units 105e-l05h have the same functions as those of Second Embodiment. In the 

present example, fifth to seventh intermediate blocks are progressively generated for each of the merged plaintext 
blocks, with first to third ciphertext blocks being generated from the resulting intermediate blocks. 
The fraction data processing unit 106 has the same function as that of Fourth Embodiment. 
It should be noted here that the fraction data processing unit 106 may have the same function as that of Second 
is Embodiment. 

<Construction of Data Decryption Apparatus 20> 

Fig. 25 shows the detailed construction of a data decryption apparatus 20, which is shown in Fig. 2, of Fifth Em- 

6 bodtment of the present invention. 

Components which are the same as those in the data decryption apparatus 20 of Second Embodiment shown in 
Fig. 1 3 are given the same numbers. Components whose functions are the same as those in the data decryption 
apparatus 20 of Second Embodiment are not explained here. 

The data decryption apparatus 20 of Fifth Embodiment includes a block dividing unit 201 , a block storage unit 202, 
25 a subkey generation unit 204, first to fourth decryption units 205a-205d, first to fourth encryption units 205i-2051, a 
fraction data processing unit 206, a block integration unit 207, and a block merging unit 208. 

Here, the same example is used as in First Embodiment where ciphertext data of 200 bits is inputted in the data 
decryption apparatus 20. 

The fourth decryption unit 205d generates a cryptographic-processed block from a fifth intermediate block using 
30 a fifth subkey In the present example, first to third cryptographic-processed blocks are generated from each of the fifth 
intermediate blocks corresponding to the first to third ciphertext blocks, respectively. Here, the conversions performed 
by the first to fourth decryption units 205a-205d are inverse conversions of the conversions performed by the respective 
fourth to first encryption units 105d-105a of the data encryption apparatus 10. 

The first encryption unit 205i generates a first intermediate block from a chain block stored in the block storage 
35 unit 202 using a first subkey. 

The second to fourth encryption units 205j-2051 generate second to fourth intermediate blocks from the first to 
third intermediate blocks using second to fourth subkeys, respectively. 

Each time the fourth encryption unit 2051 generates a fourth intermediate block, the block storage unit 202, which 
is provided with a block renewal function, renews the chain block by storing the fourth intermediate block as the new 
40 chain block, which is used for processing a next ciphertext block. This operation is the same as First Embodiment. 

The first to fourth encryption units 205i-2051 have the same functions and operations as the respective first to 
fourth encryption units 105a-105d of the data encryption apparatus 10. In the present example, first to fourth interme- 
diate blocks corresponding to each chain block are generated from the chain block. 

The block merging unit 208 merges the fourth intermediate block generated by the fourth encryption unit 2051 with 
45 the cryptographic-processed block generated by the fourth decryption unit 205d to generate a plaintext block. In the 
present example, for processing the first ciphertext block, an exclusive-OR operation is performed, for each corre- 
sponding bit, on the 64-bit fourth intermediate block generated from the initial value IV of the chain block and the 64-bit 
first cryptographic-processed block generated from the first ciphertext block, so as to generate a 64-bit first plaintext 
block. For processing the second and third ciphertext blocks, an exclusive-OR operation is performed, for each corre- 
50 sponding bit, on each 64-bit fourth intermediate block which has been generated from the chain blocks generated 
during the processing of the first and second ciphertext blocks and each of the 64-bit second and third cryptographic- 
processed blocks generated from the second and third ciphertext blocks, so as to generate 64-bit second and third 
plaintext blocks, respectively. 

The fraction data processing unit 206 has the same lunction as that of Fourth Embodiment. 
55 it should be noted here that the fraction data processing unit 206 may have the same function as that of Second 

Embodiment. 
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The operation of the data decryption apparatus 20 is inverse conversion of the operation of the data encryption 
apparatus 10. 

Here, the same example as in First Embodiment is used, wherein the cryptographic processing is performed ac- 
cording to the DES algorithm in the data decryption apparatus 20 where 200-bit ciphertext data is inputted and the 
s initial value IV of the chain block is stored in the block storage unit 202 in advance. 

Steps which are the same as those in the operation of the data decryption apparatus 20 of Second Embodiment 
shown in Fig. 15 are given the same numbers, and are not explained here. 

(1 )-(4) The same as Second Embodiment (Steps S201 , S202, S401 , and S205: first time). 

10 (5) The second to fourth decryption units 205b-205d generate sixth and fifth intermediate blocks and a crypto- 

graphic-processed block from the seventh to fifth intermediate blocks using the seventh to fifth subkeys, respec- 
tively (Step S1001 ). In the present example, sixth and fifth intermediate blocks and a first cryptographic-processed 
block are generated from the seventh to fifth intermediate blocks corresponding to the first ciphertext block, re- 
spectively (Step S1001 : first time). 

is (6) The first encryption unit 205i generates a first intermediate block from the chain block stored in the block storage 

unit 202 using the first subkey (Step S1 002). In the present example, a first intermediate block is generated from 
the initial value IV of the chain block (Step S1002: first time). 

(7) The second to fourth encryption units 205j-2051 generate second to fourth intermediate blocks from the first 
to third intermediate blocks using the second to fourth subkeys, respectively (Step S1003). In the present example, 

zo second to fourth intermediate blocks are generated from the first to third intermediate blocks corresponding to the 

initial value IV of the chain block (Step S1003; first time). 

(8) The block merging unit 208 merges the cryptographic-processing block with the fourth intermediate block to 
generate a plaintext block (Step S1004). In the present example, an exclusive-OR operation is performed, for each 
corresponding bit, on the 64-bit first cryptographic-processed block and the 64-bit fourth intermediate block cor- 

2S responding to the initial value IV of the chain block, so as to generate a 64-bit first plaintext block (Step S1004: 

first time). 

(9) -(1 4) The same as Second Embodiment (Steps S207 and S21 0: first time, Steps S201 , S202, S401 ( and S205: 
second time). 

(15) In Step S1001 , sixth and fifth intermediate blocks and a second cryptographic-processed block are generated 
30 from the seventh to fifth intermediate blocks corresponding to the second ciphertext block respectively, in the 

present example (Step S1001: second time). 

(1 6) I n Step S1 002, a first intermediate block is generated from the 64-bit chain block generated during the process- 
ing of the first ciphertext block in the present example (Step S1002: second time). 

(17) In Step S1003, second to fourth intermediate blocks are generated from the first to third intermediate blocks 
35 corresponding to the chain block generated during the processing of the first ciphertext block respectively, in the 

present example (Step S1003: second time). 

(18) In Step S1004, an exclusive-OR operation is performed, for each corresponding bit, on the 64-bit second 
cryptographic-processed block and the 64-bit fourth intermediate block corresponding to the chain block generated 
during the processing of the first ciphertext block, so as to generate a 64-bit second plaintext block in the present 

40 example (Step S1 004: second time). 

(19) -(24) The same as Second Embodiment (Steps S207 and S210: second time, Steps S201, S202, S401, and 
S205: third time). 

(25) In Step S1001, sixth and fifth intermediate blocks and a third cryptographic-processed block are generated 
from the seventh to fifth intermediate blocks corresponding to the third ciphertext block respectively, in the present 

45 example (Step S1001: third time). 

(26) In Step SI 002, a first intermediate block is generated from the 64-bit chain block generated during the process- 
ing of the second ciphertext block in the present example (Step S1002: third time). 

(27) In Step S1003, second to fourth intermediate blocks are generated from the first to third intermediate blocks 
corresponding to the chain block generated during the processing of the second ciphertext block respectively, in 

so the present example (Step S1003: third time). 

(28) In Step S1004, an exclusive-OR operation is performed, for each corresponding bit, on the 64-bit third cryp- 
tographic-processed block and the 64-bit fourth intermediate block corresponding to the chain block generated 
during the processing of the second ciphertext block, so as to generate a 64-bit third plaintext block respectively, 
in the present example (Step S1004: third time). 

55 (29)-(34) The same as Second Embodiment (Steps S207 and S210: third time, Step S201: fourth time, Steps 

S211-S213). 

In the cryptographic processing apparatus of Fifth Embodiment, an intermediate block generated when the cryp- 
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cryptographic processing is performed. 



Sixth Embodiment 



SixthEmbodimentofthepresen^^^^^ 
{rom cryptographic-processing f f time the olographic processing 

10 tographic-processing object data. In th,s c ^l^^^Zw which is to be subjected to the cryptographic 

when the cryptographic processing is performed on a next block, 
is <Construction> 

iment, and is thereby not explained here. 
20 Construction of Data Encryption Apparatus 1 0> 

Fig . 28 shows the detailed construction of a data encryption apparatus 10. which is shown in Fig. 2, o, Sixth 

Embodiment of the present invention. enrrv «tion a D oaratus 10 of First Embodiment shown in Fig. 

. 3 are C g °r^^^ 

102, a key data merging unit 103, a subkey generate nun* 1 unl?M. 

theblcckstorageunit 102, which ispro^ J nt examp|e ^ b|ock 

block as the new chain block, which is used or processing a next g^^^, first plaint ext block, and 
3S storage unit 1 02 stores a 64-bit initial value IV jn ^^g the p^ocessingd the first plaintext block as 

renews thechain bio* by stonngafir^ 
thenewchain block. Next, ^ new chain bl^k.s used »o^ 

block generated during the processes is ^™?*^^£toLtL block generated during the processing 
^ byconversion unit 109 performs preterm™ 

unit 102 to generate a converted block. Here, the pm*H»™. ed co « P^ jon * transposlti on in a bit unit, 
109 is, for instance, bit transposition, bit.conver.sio . or ^the ^^^^^ unlts l0 5a-105h of First Em- 
45 such as the permutation P explained .n the de sc ^ *J« exclusiveOR operation on specific data. 

so blocks, respectively. nonerated bv the block conversion unit 109 with key 

The key data merging unit 103 merges the converted biock 9££* ^ ^ 
data to generate merged key data. In the presen * ■£££3*2 btock and 64-bit input key data which 

operation is performed, for each corresponding brt on ^^^'^^text blocks, an exclusrveOR operatton is 
has been determined in advance. For process.ng the ^"J^J ^iUey data for each corresponding brt, 
55 performed on each of the 64-bit second and th.rd converted blocks and the y 

respectively. n ttaMinn n i airi text data from the block dividing unit 101, and 

P The fraction data processing un* 106 recces the «**££?ZX*^ data using the converted 

generates Iraction ciphertext data whose number of bits is the same as 
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block generated by the block conversion unit 109. The fraction data processing unit 106 includes a data matching unit 

106a and a fraction data merging unit 106b. 

The data matching unit 106a generates fraction converted data whose number of bits is the same as the fraction 

plaintext data from the converted block generated by the block conversion unit 109. In the present example, the fraction 
s plaintext data is 8 bits, so that the data matching unit 1 06a generates fraction converted data which is composed of, 

for example, highest 8 bits of the converted block generated by the block conversion unit 109. 

The fraction data merging unit 106b merges the fraction converted data with the fraction plaintext data. In the 

present example, an exclusive-OR operation is performed on the 8-bit fraction converted data and the 8-bit fraction 

plaintext data for each corresponding bit to generate 8-bit fraction ciphertext data 
10 it should be noted that the fraction data processing unit 106 may have the same function as that of First Embod- 

iment. 

Construction of Data Decryption Apparatus 20> 

is Fig: 29 shows the detailed construction of a data decryption apparatus 20, which is shown in Fig. 2, of Sixth 

Embodiment of the present invention. 

Components which are the same as those in the data decryption apparatus 20 of First Embodiment shown in Fig. 

8 are given the same numbers. Components whose functions are the same as those in the data decryption apparatus 

20 of First Embodiment are not explained here. 
20 The data decryption apparatus 20 of Sixth Embodiment includes a block dividing unit 201 , a block storage unit 

202, a key data merging unit 203, a subkey generation unit 204, first to eighth decryption units 205a-205h, a fraction 

data processing unit 206, a block integration unit 207, and a block conversion unit 209. 

Here, the same example is used as in First Embodiment where ciphertext data of 200 bits is inputted in the data 

decryption apparatus 20. 

25 The blockstorage unit 202 is provided with a block renewal function. Each time the block dividing unit 201 generates 

a present ciphertext block, the block storage unit 202 renews a chain block by storing the ciphertext block as the new 
chain block, which is used for processing a next ciphertext block. In the present example, a 64-bit initial value IV which 
has been stored in advance is used for processing a first ciphertext block, and the first ciphertext block is stored as 
the new chain block. Next, this new chain block is used for processing a second ciphertext block, and the second 

30 ciphertext block is stored as the new chain block. Next, this new chain block is used for processing a third ciphertext 
block, and the third ciphertext block is stored as the new chain block. Then, this new chain block is used for processing 
fraction ciphertext data. 

The block conversion unit 209 performs predetermined conversion on the chain block stored in the block storage 
unit 202 to generate a converted block. Here, the predetermined conversion performed by the block conversion unit 

35 209 is the same as the predetermined conversion performed by the block conversion unit 109 of the data encryption 
apparatus 10, which is, for instance, bit transposition, bit conversion, or the like. Here, the bit transposition is transpo- 
sition in a bit unit, such as the permutation P which has been explained in the description of the first to eighth encryption 
units 105a-105h of First Embodiment, while the bit conversion is fixed calculation in a bit unit, such as an exclusive- 
OR operation on specific data. In the present example, for processing the first ciphertext block, a 64-bit first converted 

40 block is generated from the initial value IV of the 64-bit chain block. For processing the second and third ciphertext 
blocks, 64-bit second and third converted blocks are generated from the 64-bit chain blocks generated during the 
processing of the first and second ciphertext blocks, respectively. 

The key data merging unit 203 merges the converted block generated by the block conversion unit 209 with key 
data to generate merged key data. In the present example, for processing the first ciphertext block, an exclusiveOR 

45 operation is performed, for each corresponding bit, on the 64-bit first converted block and 64-bit input key data which 
has been determined in advance. For processing the second and third ciphertext blocks, an exclusiveOR operation 
is performed on each of the 64-bit second and third converted blocks and the 64-bit key data for each corresponding 
bit, respectively. 

The fraction data processing unit 206 receives the fraction ciphertext data from the block dividing unit 201, and 
50 generates fraction plaintext data whose number of bits is the same as the fraction ciphertext data using the converted 
block generated by the block conversion unit 209. The fraction data processing unit 206 includes a data matching unit 
206a and a fraction data merging unit 206b. 

The data matching unit 206a generates fraction converted data whose number of bits is the same as the fraction 
ciphertext data from the converted block generated by the block conversion unit 209. In the present example, the 
55 fraction ciphertext data is 8 bits, so that the data matching unit 206a generates fraction converted data which is com- 
posed of, for example, highest 8 bits of the converted block generated by the block conversion unit 209. 

The fraction data merging unit 206b merges the fraction converted data with the fraction ciphertext data. In the 
present example, an exclusiveOR operation is performed on the 8-bit fraction converted data and the 8-bit fraction 
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ciphertext data for each corresponding bit to function as that of First Embod- 

U should be noted that the fraction data process.ng unit 206 may have me 



iment. 

<Operation> 

<Operation of Data Encryption Apparatus 10> 
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Fig . 30 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 o, Sbcth Embod- 

iment of the present invention. ^-Pin the crvotoqraphic processing is performed ac- 

shown in Fig. 10 are given the same numbers, and are not explained here. 

(1)-(2) The same as First Embodiment (Steps 8101 and ' s ^ re "^^ nbtek ^intheblock8tofage 
3 l h eblockconversionunit109 performs P«*^^ , ^^S^ 1he converted block with key 
unit 102 to generate a converted block, ^.^^SS^L converted b.ock is generated 
data to generate merged key data (Step 81 10£ In the ^^n',^^ p^fc,^ „ fte 64*it fW 

(9) The block storage unit 1 02 renews the chain block by J^^t^chain block (Step S11 02: first time). 
S1102)..nthepresentexamp.e.th^ 

(10) -(12) The same as First Embod.ment (Step S1 10. first tone. : bieps gene rated during the 
1 3 „ Step 81 1 01 , a 64-bit second converted block ,s fl£"^£^j£ tne 64 -bit second converted 
processing of the first plaintext block, and an -^^^^^^(^^OV^Ilrn.). 

Sn Step S1102. the second ciphertext block is stored as the new chain biock in the present example (Step 
S1102: second time). _ . ti steDS S101 and S102; third time). 

,20 M 22) H» «™ « Ftat E ^ lm ^ e b P J" s °^X' m S&hSi chains genera.* during .he 

Operation of Data Decryption Apparatus 20> 

Fl9 3, B a to .chan S ,v»ing« W ^ 
^SSSIESS d«**n apparau* 20 is M. ™* - « «—»■ o. ft. da,» «ff»n 

apparatus 10. . wherein the cryptographic processing is performed ac- 

shown in Fig. 11 are atom the same numbers, and are not explained here. 

(1)-(2)The same as First Embodiment (Steps S201-S202: fi ^^ 
(3 Thebl«*conve^^^ 

unit 202 to generate a converted block, and the key data merg.ng unri *m me g 
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data to generate merged key data (Step S1 201 ). In the present example, a 64-bit first converted block is generated 
from the initial value Iv of the 64-bit chain block, and an exclusive-OR operation is performed on the 64-bit first 
converted block and 64-bit input key data which has been determined in advance for each corresponding bit (Step 
S1 201: first time). 

(4)-(8) The same as (4)-(6), (8). and (9) of First Embodiment (Steps S204-S206, S208, and S209: first time). 

(9) The block storage unit 202 renews the chain block by storing the ciphertext block as the new chain block (Step 
S1 202). In the present example, the first ciphertext block is stored as the new chain block (Step S1 202: first time). 

(10) -(12) The same as First Embodiment (Step S210: first time, Steps S201 and S202. second time). 

(13) In Step S1201, a 64-bit second converted block is generated from the 64-bit chain block generated during 
the processing of the first ciphertext block and an exclusive-OR operation is performed on the 64-bit second 
converted block and the 64-bit key data for each corresponding bit in the present example (Step S1201: second 
time). 

(14) -(18) The same as (14)-(16), (18), and (19) of First Embodiment (Steps S204-S206, S208, and S209: second 
time). 

(19) In Step S1202, the second ciphertext block is stored as the new chain block in the present example (Step 
S1202: second time). 

(20) -(22) The same as First Embodiment (Step S210: second time, Steps S201 and S202: third time). 

(23) In Step SI 201, a 64-bit third converted block is generated from the 64-bit chain block generated during the 
processing of the second ciphertext block, and an exclusive-OR operation is performed on the 64-bit third converted 
block and the 64-bit key data for each corresponding bit in the present example (Step S1201: third time). 

(24) -(28) The same as (24)-(26), (28), and (29) of First Embodiment (Steps S204-S206, S208, and S209: third 
time). 

(29) In Step 51202 ; the third ciphertext block is stored as the new chain block (Step S1202: third time). 

(30) -(34) The same as First Embodiment (Step S210: third time, Step S201 : fourth time, Steps S211-S213). 

In the cryptographic processing apparatus of Sixth Embodiment, a ciphertext block is stored as a chain block, 
which is then converted and merged with key data next time the cryptographic processing is performed. Thus, the 
chain block is renewed each time the cryptographic processing is performed. 

It should be noted that while in Sixth Embodiment the ciphertext block is stored as the new chain block, a plaintext 
block or one of intermediate blocks may also be stored as the new chain block. 

Seventh Embodiment 

Seventh Embodiment of the present invention is different from Sixth Embodiment in that a converted block obtained 
by performing block conversion on a chain block is not merged with key data but with either cryptographic-processing 
object data or cryptographic-processed data which has been generated by the cryptographic processing. 

<Construction> 

The construction of an encrypted communication system of Seventh Embodiment is the same as that of First 
Embodiment, and is thereby not explained here. 

Construction of Data Encryption Apparatus 10> 

Fig. 32 shows the detailed construction of a data encryption apparatus 10, which is shown in Fig. 2, of Seventh 
Embodiment of the present invention. 

Components which are the same as those in the data encryption apparatus 10 of Second Embodiment shown in 
Fig. 12 are given the same numbers. Components whose functions are the same as those in the data encryption 
apparatus 10 of Second Embodiment are not explained here. 

The data encryption apparatus 1 0 of Seventh Embodiment includes a block dividing unit 1 01 , a block storage unit 
102, a subkey generation unit 104, first to eighth encryption units 105a-105h, a fraction data processing unit 106, a 
block integration unit 107, a block merging unit 108, and a block conversion unit 109. 

Here, the same example is used as in First Embodiment where plaintext data of 200 bits is inputted in the data 
encryption apparatus 10. 

The block storage unit 102 has a block renewal function. Each time the eighth encryption unit 105h generates a 
ciphertext block from a present plaintext block, the block storage unit 1 02 renews a chain block by storing the ciphertext 
block as the new chain block, which is used for processing a next plaintext block. In the present example, a 64-bit initial 
value IV which has been stored in advance is used for processing a first plaintext block, and a first ciphertext block 
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second plaintext block, and a second c.phertext block *™£d^ P a tnird ciphertext block generated 
block. Next, this new chain block is used lor processing a ^iJ^S* block is used for processing fraction 
during the processing is stored as the new cha.n block. Then this new 

plaintext data. , Qrmi „ori inversion on the chain block stored in the block storage 

The block conversion unit 109 perlorms ^^^^^ performed by the block conversion unrt 
unit 102 to generate a converted btack ^^^^^Z^ example, for processing the first plaintext 
109 is. for example. bittransposrtion. bit conversion or he »^ n ™* v of the 64 -bit chain block. For processing the 
block, a 64-bit first converted block is generated from , tt» rtto vak* rv ot ^ ^ ^ chajn ^ 

second and third plaintext blocks, 64-b,t seco nd ^^^^ 

generated during the processing of the first ^^^^^[J^JL^ unft 109 with a ptahte* 

The block merging unit 1 08 merges the converted block 9^ a ^ 
blocktogenerateamerged plaintext block, inthepresen^ 

OR operation is performed on the 64-brt f.rst converted J Wc«llhB64^ P^ ^ ^ ^ 

bit to generate a 64-bit first merged plaintext block. Fo IP™**"*™ Rs and the 64 . bit seC ond and third plaintext 

Construction of Data Decryption Apparatus 20> 

Fi , 33 *~d — «*n « a M » » — " — " * 9 * * — * 

Embodiment of the present .nvent.cn. deC rvption apparatus 20 of Second Embodiment shown .n 

Fig ^^r^^^^^^ « - same as those in the data decrypt,on 

202, a subkey generation unrt 204. first to ^^^^^ unit 209. 

ciphertext block, the block storage unit ^ M ^^^^SSpte, a 64-bit initial value IV which has been 
whWs used for pressing a next ciphertex^ 

stored in advance is used for process.ng a f.rst epherteft bk^and the t.rs p ^ b|ocR |g 

5 block. Next, this new chain block is used for P»»mf ec ° nd . S^SS-Ing a third ciphertext block, and the third 
stored as the new chain block-Next. th.s new cha " ^» J^£*bi«J ** processing Iraction ciphertext data, 
ciphertext is stored as the new chain block. ^^f^^Z chain block stored in the block storage 
The block conversion unit 209 perlorms predetermined conversion on i b|ock un it 

unit 202 to generate a converted block. Here, the ^^^^eZ uniU09 of the data encryption 
» 209 is the same as the predetermined eon ^ t ^^^ 0 * e like. In the present example, for processing 
apparatus 10. which is. for example, £m the initial value IV of the 64-bit chain block, 

the first ciphertext btock, a 64-bft tart converted btock » 9^""^ tnird con verted blocks are generated from 
For processing the second and third ciphertext blocks, respectively, 

the 64-btt chain blocks generated dunng the P^^^jj^ by the block conversion unit 209 with a cryp- 
The block merging unit 208 merges the ^^^^^^to, for processing the first ciphertext 
tographfc-processed block to generate » P^^J^J^^^i block and a 64-bit first cryptographic- 
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<Operation> 

55 ^operation of Data Encryption Apparatus 1 0> 
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bodiment of the present invention. 
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Here, the same example as in First Embodiment is used, wherein the cryptographic processing is performed ac- 
cording to the DES algorithm in the data encryption apparatus 10 where 200-bit plaintext data is inputted and the initial 
value IV of the chain block is stored in the block storage unit 102 in advance. 

Steps which are the same as those in the operation of the data encryption apparatus 10 of Second Embodiment 
shown in Fig. 14 are given the same numbers, and are not explained here. 

(1)-(3) The same as Second Embodiment (Steps S101 , S102, and S301 : first time). 

(4) The block conversion unit 1 09 performs predetermined conversion on the chain block stored in the block storage 
unit 102 to generate a converted block, and the block merging unit 108 merges the converted block with a plaintext 
block to generate a merged plaintext block (Step S1 301). In the present example, a 64-bit first converted block is 
generated from the initial value IV of the 64-bit chain block, and an exclusive-OR operation is performed on the 
64-bit first converted block and the 64-bit first plaintext block for each corresponding bit to generate a 64-bit first 
merged plaintext block (Step S1 301 : first time). 

(5) -(8) The same as Second Embodiment (Steps S303, S106, S108, and S109: first time). 

(9) The block storage unit 102 renews the chain block by storing the ciphertext block as the new chain block (Step 
S1302). In the present example, the block storage unit 102 stores the first ciphertext block as the new chain block 
(Step S1302: first time). 

(10) -(13) The same as Second Embodiment (Step S110: first time, Steps SI 01 , S102, and S301: second time). 

(14) In Step S1301, a 64-bit second converted block is generated from the 64-bit chain block generated during 
the processing of the first plaintext block, and an exclusive-OR operation is performed on the 64-bit second con- 
verted block and the 64-bit second plaintext block for each corresponding bit to generate a 64-bit second merged 
plaintext block in the present example (Step S1301: second time). 

(15) -(19) The same as Second Embodiment (Steps S303, S106, S108, and S109: second time). 

(19) In Step S1302, the second ciphertext block is stored as the new chain block in the present example (Step 
S1302: second time). 

(20) -(23) The same as Second Embodiment (Step S110: second time, Steps S101, S102, and S301: third time). 

(24) In Step S1 301 , a 64-bit third converted block is generated from the 64-bit chain block generated during the 
processing of the second plaintext block, and an exclusive-OR operation is performed on the 64-bit third converted 
block and the 64-bit third plaintext block for each corresponding bit to generate a 64-bit third merged plaintext 
block in the present example (Step S1 301 : third time). 

(25) -(29) The same as Second Embodiment (Steps S303, S106. S108, and S109: third time). 

(29) In Step S 1 302, the third ciphertext block is stored as the new chain block in the present example (Step S1 302: 
third time). 

(30) -(34) The same as Second Embodiment (Step S110: third time, Step S101: fourth time, Steps S111-S113). 
<Operation of Data Decryption Apparatus 20> 

Fig. 35 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Seventh Em- 
bodiment of the present invention. 

The operation of the data decryption apparatus 20 is inverse conversion of the operation of the data encryption 

apparatus 10. 

Here, the same example as in First Embodiment is used, wherein the cryptographic processing is performed ac- 
cording to the DES algorithm in the data decryption apparatus 20 where 200-bit ciphertext data is inputted and the 
initial value IV of the chain block is stored in the block storage unit 202 in advance. 

Steps which are the same as those in the operation of the data decryption apparatus 20 of Second Embodiment 
shown in Fig. 15 are given the same numbers, and are not explained here. 

(1)-(7) The same as Second Embodiment (Steps S201, S202, S401, S205, S206, S208, and S402: first time). 

(8) The blockconversion unit 209 performs predetermined conversion on the chain block stored in the block storage 
unit 202 to generate a converted block, and the block merging unit 208 merges the converted block with the 
cryptographic-processed block to generate a plaintext block (Step S1401). In the present example, a 64-bit first 
converted block is generated from the initial value IV of the chain block, and an exclusiveOR operation is performed 
on the 64-bit first converted block and the 64-bit first cryptographic-processed block for each corresponding bit to 
generate a 64-bit first plaintext block (Step S1 401 : first time). 

(9) The block storage unit 202 renews the chain block by storing the ciphertext block as the new chain block (Step 
S1402). In the present example, the first ciphertext block is stored as the new chain block (Step S1402: first time). 

(10) -(17) The same as Second Embodiment (Step S210: first time, Steps S201 , S202, S401 . S205, S206, S209, 
and S402: second time). 
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Embodiment of the present invention. 6nC rvDtion apparatus 10 of Seventh Embodiment shown in 

encryption apparatus 10. intermediate block from a converted block generated by the block 
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eighth encryption unit 105h to generate a cipherlext block, and not with the converted block generated by the block 
conversion unit 109 as in Seventh Embodiment. In the present example, for processing a first plaintext block, an ex- 
clusive-OR operation is performed on the 64-bit first cryptographic-processed block and the 64-bit first plaintext block 
for each corresponding bit to generate a 64-bit first ciphertext block. For processing second and third plaintext blocks, 
s an exclusive-OR operation is performed on the 64-bit second and third cryptographic-processed blocks and the 64-bit 
second and third plaintext blocks for each corresponding bit to generate 64-bit second and third ciphertext blocks, 
respectively. 

The block integration unit 1 07 integrates each ciphertext block generated by the block merging unit 1 08 and fraction 
ciphertext data generated by the fraction data processing unit 106 to generate ciphertext data. In the present example, 
10 the 64-bit first to third ciphertext blocks and 8-bit fraction ciphertext data are integrated to form 200-bit ciphertext data. 

<Construction of Data Decryption Apparatus 20> 

Fig. 37 shows the detailed construction of a data decryption apparatus 20, which is shown in Fig. 2, of Eighth 
is Embodiment of the present invention. 

The data decryption apparatus 20 of Eighth Embodiment includes a block dividing unit 201, a block storage unit 
202, a subkey generation unit 204, first to eighth encryption units 205i-205p, a fraction data processing unit 206, a 
block integration unit 207, a block merging unit 208, and a block conversion unit 209. 

Here, the same example is used as in First Embodiment where ciphertext data of 200 bits is inputted in the data 
20 decryption apparatus 20. 

The block storage unit 202 has a block renewal function. Each time the block dividing unit 201 generates a present 
ciphertext block, the block storage unit 202 renews a chain block by storing the ciphertext block as the new chain block, 
which is used for processing a next ciphertext block. In the present example, a 64-bit initial value IV which has been 
stored in advance is used for processing a first ciphertext block, and the first ciphertext block is stored as the new chain 
25 block. Next, this new chain block is used for processing a second ciphertext block, and the second ciphertext block is 
stored as the new chain block. Next, this new chain block is used for processing a third ciphertext block, and the third 
ciphertext is stored as the new chain block. Then this new chain block is used for processing fraction ciphertext data. 

Components whose names are the same as those of the data encryption apparatus 10 of Eighth Embodiment 
shown in Fig. 36 have the same functbns. Here, except that the input of the block storage unit 202 is different from 
30 the input of the block storage unit 102 of the data encryption apparatus 10, the construction of the data decryption 
apparatus 20 is the same as that of the data encryption apparatus 10. 

<Operation> 

3$ <Operation of Data Encryption Apparatus 10> 

Fig. 38 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Eighth Embod- 
iment of the present invention. 

Here, the same example as in First Embodiment is used, wherein the cryptographic processing is performed ac- 
40 cording to the DES algorithm in the data encryption apparatus 10 where 200-bit plaintext data is inputted and the initial 
value IV of the chain block is stored in the block storage unit 102 in advance. 

Steps which are the same as those in the operation of the data encryption apparatus 10 of Seventh Embodiment 
shown in Fig. 34 are given the same numbers, and are not explained here. 

45 0)-(3) The same as Seventh Embodiment (Steps S101, S102, and S301: first time). 

(4) The block conversion unit 1 09 performs predetermined conversion on the chain block stored in the block storage 
unit 102 to generate a converted block, and the first encryption unit 105a generates a first intermediate block from 
the converted block using the first subkey (Step S1501). In the present example, a 64-bit first converted block is 
generated from the initial value IV of the 64-bit chain block, and a first intermediate block is generated from the 

so 64-bit first converted block (Step S1 501 : first time). 

(5) -(6) The same as (6) and (7) of Seventh Embodiment (Steps S106 and S108: first time). 

(7) The eighth encryption unit 105h generates a cryptographic -processed block from the seventh intermediate 
block using the eighth subkey (Step S1502). In the present example, a first cryptographic-processed block is 
generated from the seventh intermediate block corresponding to the initial value IV of the chain block (Step S1 502: 

55 first time). 

(8) The block merging unit 108 merges the cryptographic-processed block with a plaintext block to generate a 
ciphertext block (Step S1503). In the present example, an exclusive-OR operation is performed on the 64-bit first 
cryptographic-processed block and the 64-bit first plaintext block for each corresponding bit to generate a 64-bit 



EP 0 874 496 A2 



first ciphertext block (Step S1 503: first time). t . , o» Q „ c cim «?102 and S30V 

(9)-(13) The same as Seventh Embodiment (Steps S1302 and S110: first time, Steps S101, S102. and S301. 

nTnStepSISOl a 64-bit second converted block is generated from the 64-brt chain block generated during 
£? pleXr fg of the fS plaintext b.oc k , and a first intermediate block is generated from the 64-b,t second con- 
verted block in the present example (Step S1501: second time). 

r1^^hfi^ The same as (16) and (17) of Seventh Embodiment (Steps S106 and S108. second time). 
7 " n Steo S15ol a slcond cryptographic-processed block is generated from the seventh intermediate block 

m^B^J^^ operation is performed on the 64-bit second c^ P togra P hic^essed block 
and the second I £Lt block for each corresponding bit to generate a 64-brt second cphertext block ,n 
the present example (Step S1503: second timey and ^ 

(19)-(23) The same as Seventh Embodiment (Steps S1302 and faiiu. seconu um«, 

l^So S1501 a 64-bit third converted block is generated from the 64-bit chain block generated during the 
pr^ssl^ 

block in the present example (Step SI 501 : third time). 

f *n The same as (26) and (27) of Seventh Embodiment (Steps S106 and S108. third time). 
(25)-(25) The same as w anu ; h ,~, k « nenerated from the seventh ntermediate block cor- 

S„ aS^aTLl U! i».-OB option is performed on .he 64-bit Md cwtographic^oc^ blocked 

SSSSTi? as « Ernbodirnen, 5.30, and S„0: ihird ,ime. ■* S,0, : ta*. *», S.eps 

S111-S113). 

<Operation of Data Decryption Apparatus 20> 

The operation of the data deception apparatus 20 is inverse conversion of the operation of the data encryption 

block or one of intermediate blocks may also be stored as the new chain block. 
Ninth Embodiment 

Ninth Embodiment of the present invention is deferent from Eighth Embodiment only in the input of a block storage 

unit. 

<Construction> 

The construction of an encrypted communication system of Ninth Embodiment is the same as that of First Em- 

bodiment, and is thereby not explained here. 

Construction of Data Encryption Apparatus 10> 

Fig. 39 shows the detailed construction of a data encryption apparatus 10, which is shown in Fig. 2. of Ninth 

Embodiment of the present invention. anriaratU s 1 0 of Eiahth Embodiment shown in 

Components which are the same as those in the data encryption •ft"*'"" em 
Fig. 36 are given the same numbers. Components whose functions are the same as those ry P 
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apparatus 10 of Eighth Embodiment are not explained here. 

The construction of the data encryption apparatus 10 of Ninth Embodiment is the same as that of Eighth Embod- 
iment. 

Here, the same example is used as in First Embodiment where plaintext data of 200 bits is inputted in the data 

5 encryption apparatus 10. 

The block storage unit 102 has a block renewal function. Each time the eighth encryption unit I05h generates a 
cryptographic-processed block, the block storage unit 1 02 renews a chain block by storing the cryptographic-processed 
block as the new chain block, which is used for processing a next plaintext block. In the present example, a 64-bit initial 
value IV which has been stored in advance is used for processing a first plaintext block, and a first cryptographic- 

10 processed block generated during the processing is stored as the new chain block. Next, the new chain block is used 
for processing a second plaintext block, and a second cryptographic-processed block generated during the processing 
is stored as the new chain block. Next, this new chain block is used for processing a third plaintext block, and a third 
cryptographic-processed block generated during the processing is stored as the new chain block. Then this new chain 
block is used for processing fraction plaintext data. 

15 

Construction of Data Decryption Apparatus 20> 

Fig. 40 shows the detailed construction of a data decryption apparatus 20, which is shown in Fig. 2, of Ninth 
Embodiment of the present invention. 
20 The construction of the data decryption apparatus 20 of Ninth Embodiment is the same as that of Eighth Embod- 

iment. Components whose names are the same as those of the data encryption apparatus 10 of Ninth Embodiment 
shown in Fig. 39 have the same functions, and is thereby not explained here. 

<Operation> 

25 

<Operation of Data Encryption Apparatus 10> 

The data encryption apparatus 1 0 of Ninth Embodiment of the present invention is the same as the data encryption 
apparatus 10 of Eighth Embodiment except the difference in the input of the block storage unit 102, so that its operation 
30 is not explained here. 

<Operation of Data Decryption Apparatus 20> 

The operation of the data decryption apparatus 20 is inverse conversion of the operation of the data encryption 
35 apparatus 10. 

The operation of the data decryption apparatus 20 of NintFTEmbodiment is the same as the data encryption ap- 
paratus 10 of Ninth Embodiment, and is thereby not explained here. 

In the cryptographic processing apparatus of Ninth Embodiment, a cryptographic-processed block generated dur- 
ing the cryptographic processing on a present block is stored as a chain block. When the cryptographic processing is 
40 performed on a next block, the chain block, on which the block conversion and the cryptographic processing have been 
performed, is then merged with a plaintext block or a ciphertext block. Thus, the chain block is renewed each time the 
cryptographic processing is performed. 

Tenth Embodiment 

45 

In Tenth Embodiment of the present invention, a function of renewing key data each time the cryptographic process- 
ing is performed on one block is further included in First Embodiment. 

<Construction> 

so 

The construction of an encrypted communication system of Tenth Embodiment is the same as that of First Em- 
bodiment, and is thereby not explained here. 

Construction of Data Encryption Apparatus 10> 

55 

Fig. 41 shows the detailed construction of a data encryption apparatus 10, which is shown in Fig. 2 t of Tenth 
Embodiment of the present invention. 

Components which are the same as those in the data encryption apparatus 10 of First Embodiment shown in Fig. 
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10 ol First Embodiment are not explained hem inr i, riaa . block dividing unit 101. a block storage unit 

The data encryption apparatus to o Tent* El *^£^ w '££ LypL units t05a-105h, a taction 
,02, a key data merging unit 103. a ^ ""J"^ ^ « Storage unlMIO 

a first plaintext block. . . k storage un it 1 02 with the key data stored 

The key data merging unrt 103 merges a ^^^"^^^J^, for processing a first plaintext 
in the key data storage unl 110 to generate merged ^^^J^Si, chain block and the inrta. value of the 
block, an exclusive-OR operation is performed on an .n t!j value IV ^onne ssj second and third plaintext 

data, respectively. «., a ii„nrtwn Each time the key data merging unit 103 generates 

The key data storage unit 1 10 has a key ^ta renew- t J merged key data as the new key 

merged key data, the key data storage unit HO renews he ^key dam y a va(ue ^ has been 

data which is used for processing a next plaintext block. In the ,prcsent ed du , ng the 

stored in advance is used for processing the ^^^^^^^^J^^ second plaintext block, 
processing is stored as the new key ^ J^" ^^^l^Jth. new key data. Next, this new key 

is stored as the new key data 

Construction ot Data Decryption Apparatus 20> 

Fig . 42 shows the detailed construction of a data decryption apparatus, which is shown in Fig. 2, o, Tenth Embod- 
iment of the present invention. . dec rvptton apparatus 20 of First Embodiment shown in Fig. 

! 1 ^rr:s^isS'• 1 ■*- kM ' ,,, *' ,,- "- 

202, a key data merging unit 203, a subkey generation unit « tat » e«» 0 W 

^etXtXS, un, 2,0 ..ores ke, data. An initial value o, the key data is stored in advance to, processing 

a first ciphertext block. b| k storage unit 2 02 with the key data stored 

The key data merging unit 203 merges a chain btock ^stored 9 processing a first ciphertext . 

in the key data storage unit 210 to generate ^^^^S^ZS^L bloc' and the Mb. value of the 
block, an exclusive-OR operation .s performed on an '"" a ' v ^ 
64-bit key dataforeachcorrespondingbittogene^ 

blocks, an exclusive-OR operat.cn « performed, tore** g ^ ^ ^ ^ 

50 

^tX— g eunit 2 l0hasakeyc_a^ 

merged key data, the key data storage ^ 0 ^^^t^Z^ the 64-bit initial va.ue which has 
ss data, which is used for processing a next c 'P h f °* the firt merged key data generated during 

been stored in advance is used for processing ^fJ^^'TuMd for processing the second ciphertext 
the processing is stored as the new key data. ^^^^g^ st0 redasthe new key data. Next, this new 
block and the second merged key data generated during the processing 




EP 0 874 496 A2 

key data is used for processing the third ciphertext block, and the third merged key data generated during the processing 
is stored as the new key data. 

<Operation> 

5 

<Operation of Data Encryption Apparatus 10> 

Fig. 43 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Tenth Embod- 
iment of the present invention. 

io steps which are the same as those in the operation of the data encryption apparatus 10 of First Embodiment 

shown in Fig. 10 are given the same numbers, and are not explained here. 

Here, the same example as in First Embodiment is used, wherein the cryptographic processing is performed ac- 
cording to the DES algorithm in the data encryption apparatus 1 0 where 200-bit plaintext data is inputted and the initial 
value IV of the chain block is stored in the block storage unit 102 in advance. Also, the initial value of the key data is 

1$ stored in the key data storage unit 1 10 in advance. 

(1)-(2) The same as First Embodiment (Steps SI 01 and S102: first time). 

(3) The key data merging unit 103 merges the chain block stored in the block storage unit 102 with the key data 
stored in the key data storage unit 110 to generate merged key data, and the key data storage unit 110 renews 

*o the key data by storing the merged key data as the new key data (Step S1601). In the present example, an exclu- 

sive-OR operation is performed, for each corresponding bit, on the 64-bit initial value IV of the chain block stored 
in the block storage unit 102 and the 64-bit initial value of the key data stored in the key data storage unit 110 so 
as to generate first merged key data, which is then sent to the subkey generation unit 1 04, and the key data storage 
unit 110 renews the key data by storing the first merged key data as the new key data (Step S1601: first time). 

25 (4)-(12) The same as First Embodiment (Steps S104-S110: first time, Steps S101 and S102: second time). 

(13) In Step S1601 ; an exclusive-OR operation is performed, for each corresponding bit, on the 64-bit chain block 
generated during the processing of the first plaintext block and the 64-bit key data generated during the processing 
of the first plaintext block so as to generate second merged key data, which is then sent to the subkey generation 
unit 104, and the key data storage unit 110 renews the key data by storing the second merged key data as the 

30 new key data, in the present example (Step S1601 : second time). 

(14) -(22) The same as First Embodiment (Steps S104-S110: second time, Steps S101 and S102: third time). 

(23) In Step S1601 : an exclusive-OR operation is performed, for each corresponding bit, on the 64-bit chain block 
generated during the processing of the second plaintext block and the 64-bit key data generated during the process- 
ing of the second plaintext block so as to generate third merged key data, which is then sent to the subkey gen- 

35 eration unit 104 : and the key data storage unit 110 renews the key data by storing the third merged key data as 

the new key data, in the present example (Step ST601: third time). 

(24) -(34) The same as First Embodiment (Steps S104-S110: third time, Step S101 : fourth time, Steps S111-S11 3). 
<Operation of Data Decryption Apparatus 20> 

40 

Fig. 44 is a flowchart showing the cryptographic processing of the data decryption apparatus 20 of Tenth Embod- 
iment of the present invention. 

The operation of the data decryption apparatus 20 is inverse conversion of the operation of the data encryption 
apparatus 10. 

45 Here, the same example as in First Embodiment is used, wherein the cryptographic processing is performed ac- 

cording to the DES algorithm in the data decryption apparatus 20 where 200-bit ciphertext data is inputted and the 
initial value IV of the chain block is stored in the block storage unit 202 in advance. Also, the initial value of the key 
data is stored in the key data storage unit 210 in advance. 

so (1 )-(2) The same as First Embodiment (Steps S201 and S202: first time). 

(3) The key data merging unit 203 merges the chain block stored in the block storage unit 202 with the key data 
stored in the key data storage unit 210 to generate merged key data, and the key data storage unit 210 renews 
the key data by storing the merged key data as the new key data (Step S1701). In the present example, an exclu- 
sive-OR operation is performed, for each corresponding bit, on the 64-bit initial value IV of the chain block stored 

55 in the block storage unit 202 and the 64-bit initial value of the key data stored in the key data storage unit 210 so 

as to generate first merged key data, which is then sent to the subkey generation unit 204, and the key data storage 
unit 210 renews the key data by storing the first merged key data as the new key data (Step S1701 : first time). 

(4) -(1 2) The same as First Embodiment (Steps S204-S210: first time, Steps S201 and S202: second time). 
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,13,^3,70, an exci^Rope^^^^ 

have been generated when ma ^T**r^^T<XZ>L n«t block, the chain blocK I. merged 
''Tibe^edthatv^TenthEn—^^^ 

Eleventh Embodiment 

InElovenmE—tdthepre.en^^ 

block, a block which is to be subjected to the cryptograph* process.ng, ana 
block is further included in First Embodiment. 

<Construction> 

The c— , d an erupted cc— tlor, system o, Eleventh Embodiment ,s the same as that c. Firs, 
Embodiment, and is thereby not explained here. 
Construction ot Data Encryption Apparatus 1 0> 

. . Fig. « s^s ,he M consttucto 0, a d„a encrypts apparatus 10. «*h is s*o«n * Fig. 2. o, Eleven., 
Embodiment ol the present invention erK!rvo tion apparatus 10 ol First Embodiment shorn in Fig. 

102 a kev data merging unit 103, a subkey generation unit 104, first o eigntn i enwyp 

encryption apparatus 10. anna r fl tus 30 shown in Fig. 1 and the data encryption apparatus 

Comparison between the conventional encryption apparatus » 8 ^"» tothe comparison between the 

b ,ock based on a chain block stored in the block ■f?^J^^^ tlw unit 102 are '001 ■, the b.ock 
unit 102. For example, when lowest 3 bits ot the (tanbbdM jJ^J. are WV-'W. the block selection 
selection unit 111 selects a first intermediate block, ^Z^^*™*^ 3 tU are OT and the fourth 
unit 111 selects second to seventh intermediate ^^^^M^ the lowest 3 bits are -000" and the 
: lowest bit is V. the block selection unrt 111 selec s the P™"** 

fourth lowest bit is "1 \ ihe block selection unit Vl^lS^JSLti^ by the block selection unit 111 as 
The block storage unit 102 renews the chain ^ *^^„^Ui example, a 64-bit initial value 
the new chain block, which is used for process.ng a next plaintext block. p 
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IV which has been stored in advance is used for processing a first plaintext block, and a block selected based on lowest 
4 bits of the initial value I V is stored as the new chain block. Next, this new chain block is used for processing a second 
plaintext block, and a block selected based on lowest 4 bits of the chain block is stored as the new chain block. Next, 
this new chain block is used for processing a third plaintext block, and a block selected based on lowest 4 bits of the 
5 chain block is stored as the new chain block. Then this new chain block is used for processing fraction plaintext data. 

Construction of Data Decryption Apparatus 20> 

Fig. 46 shows the detailed construction of a data decryption apparatus, which is shown in Fig. 2, of Eleventh 
10 Embodiment of the present invention. 

Components which are the same as those in the data decryption apparatus 20 of First Embodiment shown in Fig. 
8 are given the same numbers. Components whose functions are the same as those in the data decryption apparatus 
20 of First Embodiment are not explained here. 

The data decryption apparatus 20 of Eleventh Embodiment includes a block dividing unit 201 , a block storage unit 
is 202, a key data merging unit 203, a subkey generation unit 204, first to eighth decryption units 205a-205h, a fraction 
data processing unit 206, a block integration unit 207, and a block selection unit 211. 

Here, the same example is used as in First Embodiment where ciphertext data of 200 bits is inputted in the data 
decryption apparatus 20. 

The block selection unit 211 selects one block out of a ciphertext block, each intermediate block, and a plaintext 
20 block based on a chain block stored in the block storage unit 202, and sends the selected block to the block storage 
unit 202. For example, when lowest 3 bits of the chain block stored in the block storage unit 202 are "001 the block 
selection unit 211 selects a first intermediate block, while when the lowest 3 bits are ■OlO'-'Hr, the block selection 
unit 211 selects second to seventh intermediate blocks, respectively When the lowest 3 bits are "000" and the fourth 
lowest bit is "0", the block selection unit 211 selects the plaintext block, while when the lowest 3 bits are "000" and the 
2* fourth lowest bit is "1 ", the block selection unit 211 selects a ciphertext block. 

The block storage unit 202 renews the chain block by storing the block selected by the block selection unit 211 as 
the new chain block, which is used for processing a next ciphertext block. In the present example, a 64-bit initial value 
IV which has been stored in advance is used for processing a first ciphertext block, and a block selected based on 
lowest 4 bits of the initial value IV is stored as the new chain block. Next, this new chain block is used for processing 
30 a second ciphertext block, and a block selected based on lowest 4 bits of the chain block is stored as the new chain 
block. Next, this new chain block is used for processing a third ciphertext block, and a block selected based on lowest 
4 bits of the chain block is stored as the new chain block. Then this new chain block is used for processing fraction 
ciphertext data. 

35 <Operation> 

<Operation of Data Encryption Apparatus 10> 

Fig. 47 is a flowchart showing the cryptographic processing of the data encryption apparatus 10 of Eleventh Em- 
40 bodiment of the present invention. 

Steps which are the same as those in the operation of the data encryption apparatus 10 of First Embodiment 
shown in Fig. 10 are given the same numbers, and are not explained here. 

Here, the same example as in First Embodiment is used, wherein the cryptographic processing is performed ac- 
cording to the DES algorithm in the data encryption apparatus 10 where 200-bit plaintext data is inputted and the initial 
45 value IV of the chain block is stored in the block storage unit 102 in advance. 

(1)-(8) The same as (1)-(6), (8), and (9) of First Embodiment (Steps S101-S106, S108, and S109: first time). 

(9) The block selection unit 111 selects one block out of the plaintext block, each of the intermediate blocks, and 
the ciphertext block based on the chain block stored in the block storage unit 102, and the block storage unit 102 

so renews the chain block by storing the selected block as the new chain block (Step S1801 ). In the present example, 

when lowest 3 bits of the initial value Iv of the chain block stored in the block storage unit 102 are, for example, 
"011 ", the third intermediate block corresponding to the first plaintext block is selected and stored as the new chain 
block (Step S1801: first time). 

(10) -(18) The same as First Embodiment (Step S110: first time, Steps S101-S106, S108, and S109: second time). 
55 (1 g) in Step S1801 , when lowest 4 bits of the selected chain block which was generated during the processing of 

the first plaintext block are, for example, "0000", the second plaintext block is selected and stored as the new chain 
block in the present example (Step S1801: second time). 

(20)-(28) The same as First Embodiment (Step S110: second time, Steps S101-S106, S108, and S109: third time). 
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. t . rhain block W hich was generated during the processing of 

(29) in Step S1801 , when lowest 4 W^.^^^?^ otock'is selected and stored as the new 
the second plaintext block are, for example, 1000. the tmra P 

chain block in the present example (Step S ilBO^h.rd time . ^ ^ ^ S111 . sm) 

(30) -(34) The same as First Embodiment (Step S1 1 0. third time, oi v 

<Operation of Data Decryption Apparatus 20> 

^tCS™.ad" Wto apparatus 20 , S invars* - *• «P«— - •» — -»»«- 

apparatus 10. . whprein the cryptographic processing is performed ac- 

Here, the same example as in First ^^^^^ 2^0 bifciphertext data is inputted and the 
cording to the DES algorithm in the data dec ^ n ^^.^ aL^ce. 
initial value IV of the chain block is stored in the block storage unit 202 in advan 

K^ im0 nt <<ypos S201 -S206. S208, and S209: first time). 
(1 H 8) The same as (1)-(6), (8), and (9) of First E^PJJ^ eac ' h of the inleime diate b.ocks. and 
9 The block selection unit 211 selects one block ou t o f ^ g^^i 202 , and the block storage unit 202 
he plaintext block based on the chain block stored " ^ b ^2X" g^psiMI). In the present example, 
renews the chainblock by sto^ 

when lowest 3 bits of the initial value IV of the chain block ^s je eo ^ ^ gs the new 

■011". the third intermediate block corresponding to the first c.pnertext d.oc 

chain block (Step SI 901 : first time) _ S2Q6 s208 and s209: seC0 nd time). 

(10M1B) The same as First Embodiment (Step S210. first «w s»P : durj the processing of the first 

^^^^ 

in the present example (Step S1901: <™>- step s201; fourth time, Steps S211-S213). 

(30)-(34) The same as First Embodiment (Step S210. thira time, o v 

.u c^hrtHimpni a block such as an intermediate block gen- 
,n the cryptographic processing apparatus of ^ < ^^ k SS rlBn merged with key data when next 

erated in present cryptographic processing, JV^J^d by selecting one out of the plurality of btocks 

cryptographic processing is performed. Thus, the chain block ™™* J processing is performed. 

including intermediate blocks using the ch *" bl ^?^^^ J till and the block selection unrt 211 
,t should be noted that while in Eleventh ^^X^6xT£Zl^n apparatus 20 of First Embodi- 

are respectively included in the data encryption "^J^J^^o Tenth Embodiments. 

merit, the block selection units 111 and 211 may also be included in becona 

Twelfth Embodiment 

processing unit 106 in the data encryption apparatus 10 oi i-irsi cm 
<Construction> 

bodiment, and is thereby not explained here. 
Construction of Data Encryption Apparatus 10> 



Here, the same example is used as in First ! 
option apparatus 10. 

Components which have the same functions 
shown in Fig. 3 are not explained here. processing unit 106 of Twelfth Embodiment of the 

Fig. 49 shows the detailed construction of the fraction aaia prou y 
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present invention. 

On receiving fraction plaintext data from the block dividing unit 101, the fraction data processing unit 106 has the 
first to eighth encryption units 105a-105h perform the cryptographic processing such as encryption on an immediately 
preceding ciphertext block using a chain block stored in the block storage unit 102 so as to generate a fraction data 
processing block, which is used to generate fraction ciphertext data whose number of bits is the same as the fraction 
plaintext data from the fraction plaintext data. The fraction data processing unit 106 includes a data matching unit 106a, 
a fraction data merging unit 106b, and a ciphertext block storage unit 106c. 

The ciphertext block storage unit 106c stores the ciphertext block generated immediately before processing the 
fraction plaintext data. For processing the fraction plaintext data, the ciphertext block storage unit 106c sends the 
stored ciphertext block to the first to eighth encryption units 105a-105h. In the present example, the ciphertext block 
storage unit 106c stores a third ciphertext block, which is sent to the first to eighth encryption units 105a-105h for 
processing the fraction plaintext data. 

The first to eighth encryption units 105a-105h perform the same cryptographic processing as in First Embodiment 
to generate the fraction data processing block from the ciphertext block sent from the ciphertext block storage unit 
106c. In the present example, a fraction data processing block is generated from the third ciphertext block. 

The data matching unit 106a generates matched data whose number of bits is the same as the fraction plaintext 
data from the fraction data processing block generated in the above cryptographic processing. In the present example, 
the fraction plaintext data is 8 bits, so that matched data which is composed of, for instance, highest 8 bits of the fraction 
data processing block is generated. 

The fraction data merging unit 106b merges the matched data with the fraction plaintext data. In the present ex- 
ample, an exclusive-OR operation is performed on the 8-bit matched data and the 8-bit fraction plaintext data for each 
corresponding bit to generate 8-bit fraction ciphertext data. 

<Operation> 

<Operation of Data Encryption Apparatus 10> 

Fig. 50 is a flowchart showing the fraction data processing of the data encryption apparatus 10 of Twelfth Embod- 
iment of the present invention. 

As one example, a case is explained when the cryptographic processing is performed according to the DES algo- 
rithm in the data encryption apparatus 1 0 where 200-bit plaintext data is inputted and an initial value IV of a chain block 
is stored in the block storage unit 102 in advance, and where a third ciphertext block is stored in the ciphertext block 
storage unit 106c after first to third plaintext blocks have already been encrypted, and the remaining 8 bits of the 
plaintext data is sent to the faction data processing unit 1 06 from the block dividing unit 1 01 as fraction plaintext data. 

"""" (1) The key data merging unit 103 merges the chain block stored in the block storage unit 102 with key data to 
generate merged key data (Step S2001). In the present example, an exclusiveOR operation is performed, for 
each corresponding bit, on a 64-bit chain block generated when processing the third plaintext block and 64-bit key 
data so as to generate merged key data, which is then sent to the subkey generation unit 104. 

(2) The subkey generation unit 104 generates subkeys whose number corresponds to the number of encryption 
units from the merged key data (Step S2002). In the present example, eight 48-bit subkeys are generated from 
the 64-bit merged key data. 

(3) The first encryption unit 105a generates a first intermediate block from an immediately preceding ciphertext 
block stored in the ciphertext block storage unit 106c using the first subkey (Step S2003). In the present example, 
a first intermediate block is generated from the third ciphertext block. 

(4) The second to seventh encryption units 105b-105g generate second to seventh intermediate blocks from the 
first to sixth intermediate blocks using the second to seventh subkeys, respectively (Step S2004). In the present 
example, second to seventh intermediate blocks are generated from the first to sixth intermediate blocks corre- 
sponding to the third ciphertext block, respectively. 

(5) The eighth encryption unit 1 05h generates a fraction data processing block from the seventh intermediate block 
using the eighth subkey (Step S2005). In the present example, a fraction data processing block is generated from 
the seventh intermediate block corresponding to the third ciphertext block. 

(6) The data matching unit 1 06a generates matched data whose number of bits is the same as the fraction plaintext 
data from the fraction data processing block generated in the above cryptographic processing (Step S2006). In 
the present example, the fraction plaintext data is 8 bits, so that matched data which is composed of, for instance, 
highest 8 bits of the fraction data processing block is generated. 

(7) The fraction data merging unit 106b merges the matched data with the fraction plaintext data to generate 
fraction ciphertext data (Step S2007). In the present example, an exclusive-OR operation is performed on the 8-bit 
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matched data and the 8-bit traction plaintext dala tot each corresponding bit to generate 8-bit traction ciphertext 

^iTnr^n"^ 

grated to term 200-bit ciphertext data. 

.tshouldbenotedtha^^^ 
processing unit 106 in the data encryption a l^^^^ Be Jn^ h the fraction data processing o the 
processing unit 206 in the data decryption appartu>8 c Ac J.^.^ precedjng cipnerte xt block 

Sata decryption apparatus 20, the <W^^*S2! a fraction data processing block, which is used for gen- 
as the new input block using a cha.n block so , « to JJJ^a t« ^ data <rom the tad«. cjphertod 

^J^beno^ 

processing unit in 16 stages Is P^^^^SS^^ cryptographic processing units from ,he 

The algorithm used in each Embodiment .s not ^ *™ £ y f q{ stages mgy be app „ ed 

the stages of the cryptographic processing ™* mainly US ed as a chain block, the present invents 

WhileinaboveEmbodiments.theoutputof^^ 

is not limited to such, as an output of any stage may be used as ^ c " a jn each Embod ,ment described 

' Sn wS the number of bits of the chain bl^is t^ 

above, this may not be necessarily the case. ^^^^S?bWc or the like, data whose number of brts ,s the same 
in Embodiments in which the key data « merged w.th th ^ w l ^ e key data, the generated data then being merged 
as the key data is generated from the block to .be J ^ f e Sal is fcrger than 64 bits, data whose number of 
wfth the key data. For example, when the merged with the key data by means o expanse 

bits is the same as the key data is generated ^^/^.^^Xr of bits of the key data is smaller than 64 bits 

oMhe .ike and then merged with ^J^^^X^^ »» data ' »» ^ ^ 

data which is composed of highest bits of the bloc to be me . g ^ 

of the same number of brts as the key data, » generated and mergeo ^ encryptlon apparatus 

Wh«e in each Embodiment described ab ove ,nput P^ «£^ Q » in each data decryption apparatus 

1 0 and ciphertext data generated by-the data enc ™ J of the encryption by the data encryption 

20 the deception by the data decryption apparatus 2 s t .nverse onv Accordingl y, 

apVaratus^ 

in each Embodiment plaintext data may be .npu « ed a " d ted in the data encryption apparatus 10. 
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so data, comprising: 
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wherein the storage means renews the chain data by storing the intermediate data outputted by the main 
cryptographic processing means as new chain data, which is used for the next cryptographic processing. 

The cryptographic processing apparatus of Claim 1 , 

wherein the main cryptographic processing means includes a plurality of stages which each perform a partial 
process, 

wherein data obtained by a present stage is subjected to a partial process of a next stage, 

wherein data obtained by a last stage is the output data : and data obtained by each stage except the last 

stage is at least one set of intermediate data, and 

wherein the storage means stores one of the sets of intermediate data outputted by the main cryptographic 
processing means as the new chain data. 

The cryptographic processing apparatus of Claim 2, 

wherein the input data includes key data and cryptographic-processing object data which is to be subjected 
to the cryptographic processing, 

wherein the merging means merges the chain data stored in the storage means with the key data to generate 
merged key data, and 

wherein the cryptographic processing apparatus further comprises 

subkey generation means lor generating, from the merged key data, a plurality of subkeys corresponding to 
the plurality of stages in the main cryptographic processing means, and for sending the plurality of subkeys 
to the plurality of corresponding stages, which each use a corresponding subkey to perform the partial process, 
wherein the main cryptographic processing means generates the output data from the cryptographic-process- 
ing object data as a result of the partial process performed by each stage using the corresponding subkey 

The cryptographic processing apparatus of Claim 3, further comprising: 

block preparation means for dividing the cryptographic-processing object data into blocks each having a pre- 
determined number of bits and for preparing one block which is to be subjected to the cryptographic processing 
in turn, 

wherein the cryptographic processing apparatus performs the cryptographic processing in units of blocks; and 
fraction data processing means for generating, from fraction data which is smaller than one block and is gen- 
erated when the block preparation means divides the cryptographic-processing object data into the blocks, 
output data of a same length as the fraction data using the chain data. 

The cryptographic processing apparatus of Claim 4, 

wherein the fraction data processing means includes: 

data matching means for generating fraction chain data of the same length as the fraction data from the chain 
data: and 

fraction data merging means for merging the fraction chain data with the fraction data to generate the output 
data of the same length as the fraction data. 

The cryptographic processing apparatus of Claim 4, 

wherein the fraction data processing means includes: 

block storage means for storing a block generated by the main cryptographic processing means performing 
the main cryptographic processing, and for sending, when the fraction data is generated, the stored block to 
the main cryptographic processing means as new cryptographic-processing object data, 
wherein the main cryptographic processing means generates output data from the block sent from the block 
storage means and sends the generated output data to the fraction data processing means as a fraction data 
processing block; 

data matching means for generating matched data of the same length as the fraction data from the fraction 
data processing block; and 

fraction data merging means for merging the matched data with the fraction data to generate output data of 
the same length as the fraction data. 



EP 0 874 496 A2 



5 



performed by an exclusive-OR operalion tor each corresponding bit. 

data received from the apparatus for encrypting, 

wherein the storage means stores an initial value of the chain data in advance, which is used first time cryp- 

aCys t hverse conversion of cryptographic processing performed by the apparatus for encrypting. 
9. The cryptographic processing apparatus of Claim 3, further comprising 
key datastorage meansforstoring^ 

tTm^ging means merges the chain data stored in the storage means with the key data stored in 

used for next cryptographic processing. 

10. The cryptographic processing apparatus of C^im 2^ ^ ^ jntermedjate data 

processing. 

11. The cryptographic processing apparatus of Claim 1 , 

wherein the input data includes key data and c.yptographici.roeessing object data which Is to be subject 

;ss-t ^ - -* - — * - -nsrir me cw,09raph " 

data to generate output data from the merged cryptograph.c-process.ng object data. 

ing: 

storaae means for storing chain data which is used for reflecting present cryptographic processing on next 

13. Acryptographicprocessingapparatusforperformingcryptographicprocessingu 

data, comprising: 
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storage means for storing chain data which is used for reflecting present cryptographic processing on next 
cryptographic processing, and for renewing the chain data each time cryptographic processing is performed; 
merging means for merging the chain data stored in the storage means with any of the input data and one 
part of the input data to generate merged data; 

first main cryptographic processing means for performing first main cryptographic processing using the merged 
data to generate intermediate data; and 

second main cryptographic processing means for performing second main cryptographic processing using 
the merged data to generate the output data, 

wherein the storage means renews the chain data by storing the intermediate data generated by the first main 
cryptographic processing means as new chain data, which is used for the next cryptographic processing. 

14. The cryptographic processing apparatus of Claim 13, 

wherein the input data includes key data and cryptographic-processing object data which is to be subjected 
to the cryptographic processing, 

wherein the merging means merges the chain data stored in the storage means with the key data to generate 
merged key data, 

wherein the cryptographic processing apparatus further comprises 

subkey generation means for generating a first set of subkeys of the first main cryptographic processing means 
which are used for the first main cryptographic processing and a second set of subkeys of the second main 
cryptographic processing means which are used for the second main cryptographic processing, 
wherein the first main cryptographic processing means performs the first main cryptographic processing using 
the first set of subkeys to generate the intermediate data from the cryptographic-processing object data, and 
wherein the second main cryptographic processing means performs the second main cryptographic processing 
using the second set of subkeys to generate the output data from the cryptographic-processing object data. 

15. The cryptographic processing apparatus of Claim 14, further comprising: 

block preparation means for dividing the cryptographic-processing object data into blocks each having a pre- 
determined number of bits and for preparing one block which is to be subjected to the cryptographic processing 
in turn, 

wherein the cryptographic processing apparatus performs the cryptographic processing in units of blocks; and 
fraction data processing means for generating, from fraction data which is smaller than one block and is gen- 
erated when the block preparation means divides the cryptographic-processing object data into the blocks, 
output data of a same length as the fraction data using the chain data. 

16. The cryptographic processing apparatus of Claim 15, 

wherein the fraction data processing means includes: 

data matching means for generating fraction chain data of the same length as the fraction data from the chain 
data; and 

fraction data merging means for merging the fraction chain data with the fraction data to generate the output 
data of the same length as the fraction data. 

17. The cryptographic processing apparatus of Claim 15, 

wherein the fraction data processing means includes: 

block storage means for storing a block generated by the second main cryptographic processing means per- 
forming the second main cryptographic processing, and for sending, when the fraction data is generated, the 
stored block to the second main cryptographic processing means as new cryptographic-processing object 
data, 

wherein the second main cryptographic processing means generates output data from the block sent from the 
block storage means and sends the generated output data to the fraction data processing means as a fraction 
data processing block; 

data matching means for generating matched data of the same length as the fraction data from the fraction 
data processing block; and 

fraction data merging means for merging the matched data with the fraction data to generate output data of 
the same length as the fraction data. 
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1 8. The cryptographic processing apparatus of Claim 14. further comprising 

key datastoragemeansforstoringthekey data and for renewing the key data each time cryptographic process- 

wh'ere^thTm^ging means merges the chain data stored in the storage means with the key data stored in 
the key data storage means to generate the merged key data, and 
lerlthekeydatestoragemeansstoresaninitialvalueofthekeyd 

pTieTsing is performed, and renews the key data by storing the merged key data as new key data, wh,ch ,s 
used for next cryptographic processing. 

o 

19. The cryptographic processing apparatus of Claim 13, 

wherein the inpul data includes key data and cryplographic-processing object data which Us to be subjected 

SIS,^ *» *a,n data stored in the storage means wKh ft. cryptograph*- 
processing object data to generate merged cryptographic-processing object data, 
'wherein the first main cryptographic processing means performs the first ma.n ^^j^^™"* 
the key data to generate intermediate data from the merged cryptographic-processing object data, and 
wherefnthesecLmaincryptographteprocessing means performs thesecond main cryptographic processing 
20 using the key data to generate output data from the merged cryplograph.c-prccess.ng object data. 

20. A cryptographic processing apparatus for performing cryptographic processing using key data to generate output 
data f rom cryptographic-processing object data which is to be subjected to the cryptographic prccess.ng, compr.s- 
ing: 

storage means for storing chain data which is used for reflecting present cryptographic processing on next 
cryptographic processing, and for renewing the chain data each time cryptographic processing ,s performed 
meS means for merging the chain data stored in the storage means with the key data to generate merged 
key data; 

so subkey generation means for generating subkeys from the merged key data, , el „ rt , hacnh 

first main cryptographic processing means for performing first main cryptographic processing using the sub- 
kevs to Generate the output data from the cryptographic-processing object data; and 
To^™"% P Xo Q Juic processing means for performing second main cryptograph* process.ng using 
the subkeys to generate intermediate data from the output data, 

wherein the subkey generation means generates, from the merged key data, a first set of subkeys , of the ftnA 
marcryptographicprocessingmeanswhichareusedforthefirst main cryptograph.cprocess.ng and a second 
s?,3bkeys of the second main cryptographic processing means which are used for the second ma,n Ct)fP . 

m* i cryptographic processing means as new chain data, which is used for the next cryptograph* processing. 

21. A cryptographic processing apparatus lor performing cryptographic processing using key data to generate .output 
data^fromcryptographic-prL 
ing: 

storaoe means for storing chain data which is used for reflecting present cryptographic processing on next 
c^ap'c P ccelsing 9 and for renewing the chain data each time cryptographic processing 
2main cryptographic processing means for performing first main cryptographic processing us.ng the key 
data to generate intermediate data from the cryptographic-processing object data; nr ^. a usinQ 

second main cryptographic processing means for performing second ma.n cryptograph* Processing using 
the key data to generate cryptographic-processed data from the cryptograph.c-processins .object da* and 
merging means for merging the chain data stored in the storage means with the c ryptographK-processed data 

7eS:^ 

olographic processing means as new chain data, which is used for the next cryptographic processmg. 

22 A cryptographic processing apparatus for performing cryptographic processing using key data to gene rate » output 
IXm^raphic-prccessing object data which is to be subjected to the cryptograph* processing, compns- 
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ing: 

storage means for storing chain data which is used for reflecting present cryptographic processing on next 
cryptographic processing, and for renewing the chain data each time cryptographic processing is performed; 
first main cryptographic processing means for performing first main cryptographic processing using the key 
data to generate cryptographic-processed data from the chain data; 

merging means for merging the cryptographic-processed data with the cryptographic-processing object data 
to generate intermediate data, 

wherein the storage means renews the chain data by storing the intermediate data as new chain data, which 
is used for the next cryptographic processing; and 

second main cryptographic processing means for performing second main cryptographic processing using 
the key data to generate the output data from the intermediate data. 

23. A cryptographic processing apparatus for performing cryptographic processing using key data to generate output 
data from cryptographic-processing object data which is to be subjected to the cryptographic processing, compris- 
ing: 

storage means for storing chain data which is used for reflecting present cryptographic processing on next 
cryptographic processing, and for renewing the chain data each time cryptographic processing is performed; 
first main cryptographic processing means for performing first main cryptographic processing using the key 
data to generate cryptographic-processed data from the chain data; 

second main cryptographic processing means for performing second main cryptographic processing using 
the key data to generate intermediate data from the cryptographic-processing object data, 
wherein the storage means renews the chain data by storing the intermediate data as new chain data, which 
is used for the next cryptographic processing; and 

merging means for merging the cryptographic-processed data with the intermediate data to generate the output 
data. 

24. A cryptographic processing apparatus for performing cryptographic processing using key data to generate output 
data from cryptographic-processing object data which is to be subjected to the cryptographic processing, compris- 
ing: 

storage means for storing chain data which is used for reflecting present cryptographic processing on next 
cryptographic processing, and for renewing the chain data each time cryptographic processing is performed; 
first main cryptographic processing means for performing first main cryptographic processing using the key 
data to generate intermediate data from the chain data, 

wherein the storage means renews the chain data by storing the intermediate data as new chain data, which 
is used for the next cryptographic processing; 

merging means for merging the intermediate data with the cryptographic-processing object data to generate 
merged data; and 

second main cryptographic processing means for performing second main cryptographic processing using 
the key data to generate the output data from the merged data. 

25. A cryptographic processing apparatus for performing cryptographic processing using key data to generate output 
data from cryptographic-processing object data which is to be subjected to the cryptographic processing, compris- 
ing: 

storage means for storing chain data which is used for reflecting present cryptographic processing on next 
cryptographic processing, and for renewing the chain data each time cryptographic processing is performed; 
first main cryptographic processing means for performing first main cryptographic processing using the key 
data to generate intermediate data from the chain data, 

wherein the storage means renews the chain data by storing the intermediate data as new chain data, which 
is used for the next cryptographic processing; 

second main cryptographic processing means for performing second main cryptographic processing using 
the key data to generate cryptographic-processed data from the cryptographic-processing object data; and 
me rging means for merging the intermediate data with the cryptographic-processed data to generate the output 
data. 
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data, comprising: 

means ,or s,o* 9 M. da,a ** is .sad "^^J^SS^S^^S 

data> .t. u • m*** km ctnrinn as new chain data, one out ot the intermediate 

r :^zrrr zz sets «. «, - - * - « 

cryptographic processing. 

a bit conversion. 
20 28. The cryptographic processing apparatus of Claim 27, 

herein the input data includes k ey data and cryptographic-processing object data which is to be subjected 

to the cryptographic processing, generate merged key data, 

wherein the merging means merges the converted data _wrth * • ke *^ ta 9 usj the 

wherein the main cryptographic processing ^^T^^S^^ data, and 

merged ^^9^^^^^^^^^^ one out ol the intermediate 
wherein the storage means renews the cha,n data by stonng as _new chain ^ for ^ 

data, the cryptographic-processing object data, and the output data, the new 
next cryptographic processing. 

30 • • 

29 The cryptographic processing apparatus of Claim 28, further comprising: 

output data of a same length as the fraction data using the chain data. 

40 

30. The cryptographic processing apparatus of Claim 29, 

Snla nwgino means ,or margin, « «*» cnain da,a * M WW «. » g«« •» «■« 

data of the same length as the fraction data. 

31. The cryptographic processing apparatus of Claim 29, 

wherein the fraction data processing means includes: converted 
data matching means for generating matched data of the same length as the 

d 313 ' and . ... . u/ith the fraction data to generate output data of 

fraction data merging means for merging the matched data with the tract.on a g 

ss the same length as the fraction data. 

32. The cryptographic processing apparatus of Claim 28, further comprising 
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key data storage means for storing the key data and renews the key data each time cryptographic processing 
is performed, 

wherein the merging means merges the converted data with the key data stored in the key data storage means 
to generate merged key data, and 

wherein the key data storage means stores an initial value of the key data which is used first time cryptographic 
processing is performed, and renews the key data by storing the merged key data as new key data, which is 
used for next cryptographic processing. 

33. The cryptographic processing apparatus of Claim 27, 

wherein the input data includes key data and cryptographic-processing object data which is to be subjected 
to the cryptographic processing, 

wherein the merging means merges the converted data with the cryptographic-processing object data to gen- 
erate merged cryptographic-processing object data : 

wherein the main cryptographic processing means performs the main cryptographic processing using the key 
data to generate the output data from the merged cryptographic-processing object data, and 
wherein the storage means renews the chain data by storing, as new chain data, one out of the intermediate 
data, the cryptographic-processing object data, the merged cryptographic-processing object data, and the 
output data, the new chain data being used for the next cryptographic processing. 

34. A cryptographic processing apparatus for performing cryptographic processing using key data to generate output 
data from cryptographic-processing object data which is to be subjected to the cryptographic processing, compris- 
ing: 

storage means for storing chain data which is used for reflecting present cryptographic processing on next 
cryptographic processing, and for renewing the chain data each time cryptographic processing is performed; 
conversion means for performing a predetermined conversion on the chain data stored in the storage means 
to generate converted data; 

main cryptographic processing means for performing main cryptographic processing using the key data to 
generate cryptographic-processed data from the cryptographic-processing object data and for outputting in- 
termediate data generated during a generation of the cryptographic-processed data; and 
merging means for merging the converted data with the cryptographic-processed data to generate the output 
data, 

wherein the storage means renews the chain data by storing, as new chain data, one out of the intermediate 
data, the cryptographic-processing object data, the cryptographic-processed data, and the output data, the 
new chain data being used for the next cryptographic processing. - ~ - — " 

35. A cryptographic processing apparatus for performing cryptographic processing using key data to generate output 
data from cryptographic-processing object data which is to be subjected to the cryptographic processing, compris- 
ing: 

storage means for storing chain data which is used for reflecting present cryptographic processing on next 
cryptographic processing, and for renewing the chain data each time cryptographic processing is performed; 
conversion means for performing a predetermined conversion on the chain data stored in the storage means 
to generate converted data; 

main cryptographic processing means for performing main cryptographic processing using the key data to 
generate cryptographic-processed data from the converted data; and 

merging means for merging the cryptographic-processed data with the cryptographic-processing object data 
to generate the output data; 

wherein the storage means renews the chain data by storing the output data as new chain data, which is used 
for the next cryptographic processing. 

36. A cryptographic processing apparatus for performing cryptographic processing using key data to generate output 
data from cryptographic-processing object data which is to be subjected to the cryptographic processing, compris- 
ing: 

storage means for storing chain data which is used for reflecting present cryptographic processing on next 
cryptographic processing, and for renewing the chain data each time cryptographic processing is performed; 
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conversion means for performing a predetermined conversion on the chain data stored in the storage means 
to aenerate converted data; . . . . 

main cryptographic processing means for performing main cryptograph* processing using the key data to 
qenerate cryptographic-processed data from the converted data; and 

merging mins for merging the cryptographic-processed data with the cryptograph.c-process.ng object data 

chain data, which is used for the next cryptographic processing. 

37 A cryptographic processing apparatus for performing cryptographic processing using key data to generate output 
dSom c^ptographic-processing object data which is to be subjected to the cryptograph* process.ng, compr.s- 

ing: 

storage means for storing chain data which is used for reflecting present cryptographic processing or i next 
cryptographic processing and for renewing the chain data each time cryptograph* processing » performed, 
c^on means tor performing a predetermined conversion on the chain data stored m the storage means 

X °r:^Z*Z^ -ans for performing main cryptograph* processing using the key data to 

is used for the next cryptographic processing; and u^j, tet ,«„. ra t. 
merging means for merging the intermediate data with the cryptograph.c-process.ng object data to generate 

the output data. 

38. A cryptographic processing method for performing cryptographic processing using input data to generate output 

data, 

wherein storage means stores chain data which is used for reflecting present cryptographic processing on 

next cryptographic processing, 

f main cryptographic processing step of performing main cryptographic processing using 

generate the output data and of outputting intermediate data wh.ch .s generated dunng a generate of the 

aX^o' storing the intermediate data outputted in the main cryptographic processing step into the 
storage means as new Lin data in order to renew the chain data stored in the storage means, the new cha.n 
data being used for the next cryptographic processing. 

39. A cryptographic processing method for performing cryptographic processing using input data to generate output 

data, 

wherein storage means stores chain data which is used for reflecting present cryptographic processing on 

next cryptographic processing, 

rerTg^™ 

L storage means as new chain data in order to renew the chain data stored m the storage means, the new 
chain data being used for the next cryptographic processing. 

40. A cryptographic processing method for performing cryptographic processing using input data to generate output 
data, 
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wherein storage means stores chain data which is used for reflecting present cryptographic processing on 

next cryptographic processing, 

the cryptographic processing method comprising: 

a conversion step of performing a predetermined conversion on the chain data stored in the storage means 
to generate converted data; 

a merging step of merging the converted data with the input data to generate merged data; 

a main cryptographic processing step of performing main cryptographic processing using the merged data to 

generate the output data and of outputting intermediate data generated during a generation of the output data; 

and 

a storage step of storing, as new chain data, one out of the intermediate data, the input data, the converted 
data, and the output data into the storage means in order to renew the chain data stored in the storage means, 
the new chain data being used for the next cryptographic processing. 

41. A computer-readable storage medium which stores a cryptographic processing program for performing crypto- 
graphic processing using input data to generate output data, 

wherein storage means stores chain data which is used for reflecting present cryptographic processing on 

next cryptographic processing, 

the cryptographic processing program comprising: 

a merging step of merging the chain data stored in the storage means with the input data to generate merged 
data; 

a main cryptographic processing step of performing main cryptographic processing using the merged data to 
generate the output data and of outputting intermediate data which is generated during a generation of the 
output data; and 

a storage step of storing the intermediate data outputted in the main cryptographic processing step into the 
storage means as new chain data in order to renew the chain data stored in the storage means, the new chain 
data being used for the next cryptographic processing. 

42. A computer-readable storage medium which stores a cryptographic processing program for performing crypto- 
graphic processing using input data to generate output data, 

wherein storage means stores chain data which is used for reflecting present cryptographic processing on 

next cryptographic processing, 

the cryptographic processing program comprising: 

a merging step of merging the chain data stored in the storage means with any of the input data and one part 
of the input data to generate merged data; 

a first main cryptographic processing step of performing first main cryptographic processing using the merged 
data to generate intermediate data; 

a second main cryptographic processing step of performing second main cryptographic processing using the 
merged data to generate the output data; and 

a storage step of storing'the intermediate data generated in the first main cryptographic processing step into 
the storage means as new chain data in order to renew the chain data stored in the storage means, the new 
chain data being used for the next cryptographic processing. 

43. A computer-readable storage medium which stores a cryptographic processing program for performing crypto- 
graphic processing using input data to generate output data, 

wherein storage means stores chain data which is used for reflecting present cryptographic processing on 

next cryptographic processing, 

the cryptographic processing program comprising: 

a conversion step of performing a predetermined conversion on the chain data stored in the storage means 
to generate converted data; 

a merging step of merging the converted data with the input data to generate merged data; 

a main cryptographic processing step of performing main cryptographic processing using the merged data to 

generate the output data and of outputting intermediate data generated during a generation of the output data; 

and 

a storage step of storing, as new chain data, one out of the intermediate data, the input data, the converted 
data, and the output data into the storage means in order to renew the chain data stored in the storage means, 
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the new chain data being used for the next cryptographic processing. 
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